Skip to content

feat: add operation authorization forward middleware#3021

Merged
Piskoo merged 7 commits into
chainloop-dev:mainfrom
Piskoo:pfm-5407
Apr 14, 2026
Merged

feat: add operation authorization forward middleware#3021
Piskoo merged 7 commits into
chainloop-dev:mainfrom
Piskoo:pfm-5407

Conversation

@Piskoo

@Piskoo Piskoo commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Added a middleware that forwards operations to an external authorization endpoint before allowing them to proceed. Disabled by default.

@Piskoo Piskoo marked this pull request as ready for review April 10, 2026 08:54

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 10 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/controlplane/internal/usercontext/operation_authorization_middleware.go">

<violation number="1" location="app/controlplane/internal/usercontext/operation_authorization_middleware.go:96">
P1: Cache key omits `orgID`, but the authorization request includes it. If the external endpoint's decision depends on the organization, a cached "allowed" result for one org will incorrectly apply to another org for the same user and operation.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

Comment thread app/controlplane/internal/usercontext/operation_authorization_middleware.go Outdated
Comment thread app/controlplane/internal/usercontext/operation_authorization_middleware.go Outdated
return nil, fmt.Errorf("marshaling request: %w", err)
}

httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(body))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might want to forward the API token as a header

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should be the way. @Piskoo check how we do with policy providers. We use plain Bearer header so that providers can authenticate it automatically using standard middlewares.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated, thanks

Comment thread app/controlplane/internal/usercontext/operation_authorization_middleware.go Outdated
return nil, fmt.Errorf("marshaling request: %w", err)
}

httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(body))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should be the way. @Piskoo check how we do with policy providers. We use plain Bearer header so that providers can authenticate it automatically using standard middlewares.

@Piskoo Piskoo marked this pull request as draft April 10, 2026 14:30
@Piskoo Piskoo marked this pull request as ready for review April 13, 2026 08:01
@Piskoo Piskoo requested review from jiparis and migmartri April 13, 2026 08:01

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 25 files

Comment thread app/controlplane/cmd/wire.go Outdated
return nil, func() {}, nil
}

conn, err := grpcconn.New(cfg.GetGrpc().GetAddr(), "", grpcconn.WithInsecure(cfg.GetInsecure()))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might require also take into account custom certs? btw, why did we chose to use grpc here?

@migmartri migmartri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My main question is why did we decide to use gRPC for this forwarder, when the policyProvider one uses http

Piskoo added 5 commits April 13, 2026 23:31
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo

Piskoo commented Apr 13, 2026

Copy link
Copy Markdown
Contributor Author

My main question is why did we decide to use gRPC for this forwarder, when the policyProvider one uses http

I've misread the comment in the other PR, reverted it back to HTTP

Piskoo added 2 commits April 13, 2026 23:59
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo requested a review from migmartri April 14, 2026 05:35
// ServerOperationsMap is a map of server operations to their authorization requirements.
// Each entry specifies the Casbin policies required (all must pass) and whether the
// operation also requires external authorization.
var ServerOperationsMap = map[string]*OperationPolicy{

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this is a breaking change. Please create an issue to update consumers (platform) to this new API.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jiparis Seems like platform has it's own type defined, so no changes needed there

@Piskoo Piskoo merged commit e510ae0 into chainloop-dev:main Apr 14, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants