You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
refactor(casbackend): tighten managed-CAS org plumbing per PR review
Follow-ups from the PR review on #3121:
* JWT OrgID claim is restored to backend.OrganizationID (instead of
the authenticated caller's currentOrg). For cross-org downloads
(FindCASMappingForDownloadByUser may return a backend from any org
the caller belongs to) the JWT must address the AP that actually
owns the data; authorization is enforced earlier by the mapping
lookup. Inline comments at those call sites were dropped — the
reasoning lives in this commit and the design doc.
* CASCredsOpts.OrgID is now uuid.UUID instead of string, matching
every other org-id field in biz; the JWT boundary stringifies once
and treats uuid.Nil as "no managed binding".
* The s3accesspoint-specific ctx-key helper moves up to the
pkg/blobmanager umbrella as backend.WithRequestingOrg /
backend.RequestingOrgFromContext. Generic primitive, not tied to
any one provider, and reusable for future managed backends.
* Setting the requesting-org on ctx is now done by an auth-boundary
middleware in app/artifact-cas/internal/server/auth.go
(requestingOrgMiddleware for unary gRPC, jwtAuthFunc enrichment for
stream gRPC, requestingOrgHTTPMiddleware for the download HTTP
handler). The service layer no longer carries loadBackendForClaims;
all four CAS service entry points are back to plain loadBackend.
Assisted-by: Claude Code
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Chainloop-Trace-Sessions: 234a03ed-b238-4506-95f0-235242842db2
0 commit comments