chainloop-dev
diff --git a/‎app/controlplane/pkg/authz/authz.go‎
Lines changed: 7 additions & 0 deletions b/‎app/controlplane/pkg/authz/authz.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎app/controlplane/pkg/authz/membership.go‎
Lines changed: 2 additions & 0 deletions b/‎app/controlplane/pkg/authz/membership.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎app/controlplane/pkg/biz/membership.go‎
Lines changed: 3 additions & 2 deletions b/‎app/controlplane/pkg/biz/membership.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎app/controlplane/pkg/data/ent/client.go‎
Lines changed: 32 additions & 0 deletions b/‎app/controlplane/pkg/data/ent/client.go‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎app/controlplane/pkg/data/ent/membership.go‎
Lines changed: 51 additions & 1 deletion b/‎app/controlplane/pkg/data/ent/membership.go‎
Lines changed: 51 additions & 1 deletion
diff --git a/‎app/controlplane/pkg/data/ent/membership/membership.go‎
Lines changed: 57 additions & 2 deletions b/‎app/controlplane/pkg/data/ent/membership/membership.go‎
Lines changed: 57 additions & 2 deletions
@@ -90,6 +90,11 @@ const (
 
 	// RoleGroupMaintainer is a role that can manage groups in an organization.
 	RoleGroupMaintainer Role = "role:group:maintainer"
+
+	// Product roles
+
+	RoleProductViewer Role = "role:product:viewer"
+	RoleProductAdmin  Role = "role:product:admin"
 )
 
 // ManagedResources are the resources that are managed by Chainloop, considered during permissions sync
@@ -443,6 +448,8 @@ func (Role) Values() (roles []string) {
 		RoleProjectAdmin,
 		RoleProjectViewer,
 		RoleGroupMaintainer,
+		RoleProductAdmin,
+		RoleProductViewer,
 	} {
 		roles = append(roles, string(s))
 	}
 
@@ -27,6 +27,7 @@ const (
 
 	ResourceTypeOrganization ResourceType = "organization"
 	ResourceTypeProject      ResourceType = "project"
+	ResourceTypeProduct      ResourceType = "product"
 	ResourceTypeGroup        ResourceType = "group"
 )
 
@@ -46,6 +47,7 @@ func (ResourceType) Values() (values []string) {
 		string(ResourceTypeOrganization),
 		string(ResourceTypeProject),
 		string(ResourceTypeGroup),
+		string(ResourceTypeProduct),
 	)
 
 	return
 
@@ -40,6 +40,7 @@ type Membership struct {
 	MemberID       uuid.UUID
 	ResourceType   authz.ResourceType
 	ResourceID     uuid.UUID
+	ParentID       *uuid.UUID
 }
 
 // ListByOrgOpts are the options to filter memberships of an organization
@@ -74,7 +75,7 @@ type MembershipRepo interface {
 	// ListGroupMembershipsByUser returns all memberships of the users inherited from groups
 	ListGroupMembershipsByUser(ctx context.Context, userID uuid.UUID) ([]*Membership, error)
 	ListAllByResource(ctx context.Context, rt authz.ResourceType, id uuid.UUID) ([]*Membership, error)
-	AddResourceRole(ctx context.Context, orgID uuid.UUID, resourceType authz.ResourceType, resID uuid.UUID, mType authz.MembershipType, memberID uuid.UUID, role authz.Role) error
+	AddResourceRole(ctx context.Context, orgID uuid.UUID, resourceType authz.ResourceType, resID uuid.UUID, mType authz.MembershipType, memberID uuid.UUID, role authz.Role, parentID *uuid.UUID) error
 }
 
 type MembershipsRBAC interface {
@@ -409,7 +410,7 @@ func (uc *MembershipUseCase) SetProjectOwner(ctx context.Context, orgID, project
 		}
 	}
 
-	if err = uc.repo.AddResourceRole(ctx, orgID, authz.ResourceTypeProject, projectID, authz.MembershipTypeUser, userID, authz.RoleProjectAdmin); err != nil {
+	if err = uc.repo.AddResourceRole(ctx, orgID, authz.ResourceTypeProject, projectID, authz.MembershipTypeUser, userID, authz.RoleProjectAdmin, nil); err != nil {
 		return fmt.Errorf("failed to set project owner: %w", err)
 	}
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ const (`
`27`	`27`
`28`	`28`	`ResourceTypeOrganization ResourceType = "organization"`
`29`	`29`	`ResourceTypeProject ResourceType = "project"`
	`30`	`+ ResourceTypeProduct ResourceType = "product"`
`30`	`31`	`ResourceTypeGroup ResourceType = "group"`
`31`	`32`	`)`
`32`	`33`
`@@ -46,6 +47,7 @@ func (ResourceType) Values() (values []string) {`
`46`	`47`	`string(ResourceTypeOrganization),`
`47`	`48`	`string(ResourceTypeProject),`
`48`	`49`	`string(ResourceTypeGroup),`
	`50`	`+ string(ResourceTypeProduct),`
`49`	`51`	`)`
`50`	`52`
`51`	`53`	`return`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ type Membership struct {`
`40`	`40`	`MemberID uuid.UUID`
`41`	`41`	`ResourceType authz.ResourceType`
`42`	`42`	`ResourceID uuid.UUID`
	`43`	`+ ParentID *uuid.UUID`
`43`	`44`	`}`
`44`	`45`
`45`	`46`	`// ListByOrgOpts are the options to filter memberships of an organization`
`@@ -74,7 +75,7 @@ type MembershipRepo interface {`
`74`	`75`	`// ListGroupMembershipsByUser returns all memberships of the users inherited from groups`
`75`	`76`	`ListGroupMembershipsByUser(ctx context.Context, userID uuid.UUID) ([]*Membership, error)`
`76`	`77`	`ListAllByResource(ctx context.Context, rt authz.ResourceType, id uuid.UUID) ([]*Membership, error)`
`77`		`- AddResourceRole(ctx context.Context, orgID uuid.UUID, resourceType authz.ResourceType, resID uuid.UUID, mType authz.MembershipType, memberID uuid.UUID, role authz.Role) error`
	`78`	`+ AddResourceRole(ctx context.Context, orgID uuid.UUID, resourceType authz.ResourceType, resID uuid.UUID, mType authz.MembershipType, memberID uuid.UUID, role authz.Role, parentID *uuid.UUID) error`
`78`	`79`	`}`
`79`	`80`
`80`	`81`	`type MembershipsRBAC interface {`
`@@ -409,7 +410,7 @@ func (uc *MembershipUseCase) SetProjectOwner(ctx context.Context, orgID, project`
`409`	`410`	`}`
`410`	`411`	`}`
`411`	`412`
`412`		`- if err = uc.repo.AddResourceRole(ctx, orgID, authz.ResourceTypeProject, projectID, authz.MembershipTypeUser, userID, authz.RoleProjectAdmin); err != nil {`
	`413`	`+ if err = uc.repo.AddResourceRole(ctx, orgID, authz.ResourceTypeProject, projectID, authz.MembershipTypeUser, userID, authz.RoleProjectAdmin, nil); err != nil {`
`413`	`414`	`return fmt.Errorf("failed to set project owner: %w", err)`
`414`	`415`	`}`
`415`	`416`