fix(allowlist): run in most of the routes (#992)

migmartri · web-flow · commit 7e1d67228a90 · 2024-06-19T14:07:09.000+02:00
Signed-off-by: Miguel Martinez Trivino &lt;miguel@chainloop.dev&gt;
diff --git a/app/controlplane/internal/server/grpc.go b/app/controlplane/internal/server/grpc.go
@@ -190,6 +190,8 @@ func craftMiddleware(opts *Opts) []middleware.Middleware {
 			// 4 - Make sure the account is fully functional
 			selector.Server(
 				usercontext.CheckUserInAllowList(opts.AuthConfig.AllowList),
+			).Match(allowListEnabled()).Build(),
+			selector.Server(
 				usercontext.CheckOrgRequirements(opts.CASBackendUseCase),
 			).Match(requireFullyConfiguredOrgMatcher()).Build(),
 		).Match(requireCurrentUserMatcher()).Build(),
@@ -235,6 +237,15 @@ func requireFullyConfiguredOrgMatcher() selector.MatchFunc {
 	}
 }
 
+func allowListEnabled() selector.MatchFunc {
+	// the allow list should not affect the ability to know who you are and delete your account
+	const skipRegexp = "controlplane.v1.ContextService/Current|/controlplane.v1.AuthService/DeleteAccount"
+	return func(ctx context.Context, operation string) bool {
+		r := regexp.MustCompile(skipRegexp)
+		return !r.MatchString(operation)
+	}
+}
+
 func requireRobotAccountMatcher() selector.MatchFunc {
 	const requireMatcher = "controlplane.v1.AttestationService/.*|controlplane.v1.AttestationStateService/.*|controlplane.v1.SigningService/.*"
 	return func(ctx context.Context, operation string) bool {
