Skip to content

Commit b4e022b

Browse files
authored
feat(authz): forward CAS backend creation to external authorizer (#3148)
1 parent a221b6c commit b4e022b

2 files changed

Lines changed: 32 additions & 2 deletions

File tree

app/controlplane/pkg/authz/authz.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -375,7 +375,7 @@ var ServerOperationsMap = map[string]*OperationPolicy{
375375
// CAS Backend listing
376376
"/controlplane.v1.CASBackendService/List": {Policies: []*Policy{PolicyCASBackendList}},
377377
"/controlplane.v1.CASBackendService/Revalidate": {Policies: []*Policy{PolicyCASBackendUpdate}},
378-
"/controlplane.v1.CASBackendService/Create": {Policies: []*Policy{PolicyCASBackendCreate}},
378+
"/controlplane.v1.CASBackendService/Create": {Policies: []*Policy{PolicyCASBackendCreate}, ExternalAuthz: true},
379379
// Available integrations
380380
"/controlplane.v1.IntegrationsService/ListAvailable": {Policies: []*Policy{PolicyAvailableIntegrationList, PolicyAvailableIntegrationRead}},
381381
// Registered integrations

app/controlplane/pkg/authz/authz_test.go

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
//
2-
// Copyright 2024-2025 The Chainloop Authors.
2+
// Copyright 2024-2026 The Chainloop Authors.
33
//
44
// Licensed under the Apache License, Version 2.0 (the "License");
55
// you may not use this file except in compliance with the License.
@@ -129,6 +129,36 @@ func TestDoSync(t *testing.T) {
129129
assert.Equal(t, "delete", got[0][2])
130130
}
131131

132+
func TestRequiresExternalAuthz(t *testing.T) {
133+
testCases := []struct {
134+
name string
135+
operation string
136+
want bool
137+
}{
138+
{
139+
name: "CAS backend creation is forwarded to the external authorizer",
140+
operation: "/controlplane.v1.CASBackendService/Create",
141+
want: true,
142+
},
143+
{
144+
name: "operations without external authz flag are not forwarded",
145+
operation: "/controlplane.v1.WorkflowService/List",
146+
want: false,
147+
},
148+
{
149+
name: "unknown operations are not forwarded",
150+
operation: "/controlplane.v1.UnknownService/Unknown",
151+
want: false,
152+
},
153+
}
154+
155+
for _, tc := range testCases {
156+
t.Run(tc.name, func(t *testing.T) {
157+
assert.Equal(t, tc.want, RequiresExternalAuthz(tc.operation))
158+
})
159+
}
160+
}
161+
132162
func testEnforcer(t *testing.T) (*CasbinEnforcer, io.Closer) {
133163
f, err := os.CreateTemp(t.TempDir(), "policy*.csv")
134164
if err != nil {

0 commit comments

Comments
 (0)