feat: dynamic allow-list (#2048)

Signed-off-by: Miguel Martinez <[email protected]>

Author: migmartri

app/controlplane/cmd/main.go

@@ -162,7 +162,7 @@ func main() {
 
 	// Sync user access
 	go func() {
-		if err := app.userAccessSyncer.StartSyncingUserAccess(ctx); err != nil {
+		if err := app.userAccessSyncer.SyncUserAccess(ctx); err != nil {
 			_ = logger.Log(log.LevelError, "msg", "syncing user access", "error", err)
 		}
 	}()

app/controlplane/cmd/wire_gen.go

@@ -83,7 +83,7 @@ auth:
     # rules: ["@chainloop.local"]
     # selected_routes: ["/controlplane.v1.WorkflowRunService/List"]
     # custom_message: "you need to require access here http://foo.com"
-    
+    # allow_db_overrides: true # if false, the user access flag in the DB will mirror the allowlist, otherwise it will be respected
 
 # referrer_shared_index:
 #   enabled: true

app/controlplane/configs/config.devel.yaml

@@ -204,6 +204,10 @@ message Auth {
     string custom_message = 2;
     // The list of routes that will be affected by this middleware, by default all of them
     repeated string selected_routes = 3;
+    // Whether to treat the information stored in the user table as the source of truth
+    // if false, the allowList rules will be used as source of truth
+    // if true, the allowList rules will be used as a starting point to populate the property in the DB
+    bool allow_db_overrides = 4;
   }
 }
 

app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go

@@ -194,7 +194,7 @@ func craftMiddleware(opts *Opts) []middleware.Middleware {
 			).Match(requireAllButOrganizationOperationsMatcher()).Build(),
 			// 4 - Make sure the account is fully functional
 			selector.Server(
-				usercontext.CheckUserInAllowList(opts.AuthConfig.AllowList),
+				usercontext.CheckUserHasAccess(opts.AuthConfig.AllowList, opts.UserUseCase),
 			).Match(allowListEnabled()).Build(),
 			selector.Server(
 				usercontext.CheckOrgRequirements(opts.CASBackendUseCase),