diff --git a/app/controlplane/internal/service/cascredential.go b/app/controlplane/internal/service/cascredential.go index 5f8514724..9729100fa 100644 --- a/app/controlplane/internal/service/cascredential.go +++ b/app/controlplane/internal/service/cascredential.go @@ -117,20 +117,23 @@ func (s *CASCredentialsService) Get(ctx context.Context, req *pb.CASCredentialsS projectIDs[orgID] = []uuid.UUID{*currentAPIToken.ProjectID} } mapping, err = s.casMappingUC.FindCASMappingForDownloadByOrg(ctx, req.Digest, []uuid.UUID{orgID}, projectIDs) - } - - if err != nil && !biz.IsNotFound(err) { - if biz.IsErrValidation(err) { - return nil, errors.BadRequest("invalid", err.Error()) + if err != nil && !biz.IsNotFound(err) { + if biz.IsErrValidation(err) { + return nil, errors.BadRequest("invalid", err.Error()) + } + return nil, handleUseCaseErr(err, s.log) } - return nil, handleUseCaseErr(err, s.log) } if mapping != nil { backend = mapping.CASBackend - } else if authz.Role(currentAuthzSubject).IsAdmin() { - // fallback to default mapping for admins - backend = defaultBackend + } else { + // fallback to default backend if the user or the token is allowed to + if ok, err := s.authzUC.Enforce(ctx, currentAuthzSubject, authz.PolicyDefaultBackendArtifactRead); err != nil { + return nil, handleUseCaseErr(err, s.log) + } else if ok { + backend = defaultBackend + } } case casJWT.Uploader: backend = defaultBackend diff --git a/app/controlplane/pkg/authz/authz.go b/app/controlplane/pkg/authz/authz.go index ab081eaa3..df914ebef 100644 --- a/app/controlplane/pkg/authz/authz.go +++ b/app/controlplane/pkg/authz/authz.go @@ -63,6 +63,7 @@ const ( ResourceAPIToken = "api_token" ResourceProjectMembership = "project_membership" ResourceOrganizationInvitations = "organization_invitations" + ResourceDefaultBackend = "default_backend" // Top level instance admin role // this is used to know if an user is a super admin of the chainloop instance @@ -107,6 +108,8 @@ var ( // Artifact PolicyArtifactDownload = &Policy{ResourceCASArtifact, ActionRead} PolicyArtifactUpload = &Policy{ResourceCASArtifact, ActionCreate} + // Being able to read from the default backend + PolicyDefaultBackendArtifactRead = &Policy{ResourceDefaultBackend, ActionRead} // CAS backend PolicyCASBackendList = &Policy{ResourceCASBackend, ActionList} PolicyCASBackendUpdate = &Policy{ResourceCASBackend, ActionUpdate} @@ -198,6 +201,8 @@ var RolesMap = map[Role][]*Policy{ PolicyArtifactUpload, // We manually check this policy to be able to know if the user can invite users to the system PolicyOrganizationInvitationsCreate, + // Being able to read from the default backend + PolicyDefaultBackendArtifactRead, // + all the policies from the viewer role inherited automatically }, // RoleViewer is an org-scoped role that provides read-only access to all resources