diff --git a/app/controlplane/pkg/authz/authz.go b/app/controlplane/pkg/authz/authz.go index 2b9fc6c6e..d4299f258 100644 --- a/app/controlplane/pkg/authz/authz.go +++ b/app/controlplane/pkg/authz/authz.go @@ -406,6 +406,7 @@ var ServerOperationsMap = map[string]*OperationPolicy{ "/controlplane.v1.WorkflowContractService/Update": {Policies: []*Policy{PolicyWorkflowContractUpdate}}, "/controlplane.v1.WorkflowContractService/Create": {Policies: []*Policy{PolicyWorkflowContractCreate}}, "/controlplane.v1.WorkflowContractService/Delete": {Policies: []*Policy{PolicyWorkflowContractDelete}}, + "/controlplane.v1.WorkflowContractService/Apply": {Policies: []*Policy{PolicyWorkflowContractCreate, PolicyWorkflowContractUpdate}}, // Get current information about an organization "/controlplane.v1.ContextService/Current": {Policies: []*Policy{PolicyOrganizationRead}}, // Listing, create or selecting an organization does not have any required permissions, diff --git a/app/controlplane/pkg/authz/middleware/middleware_test.go b/app/controlplane/pkg/authz/middleware/middleware_test.go index 91b70ae18..673530033 100644 --- a/app/controlplane/pkg/authz/middleware/middleware_test.go +++ b/app/controlplane/pkg/authz/middleware/middleware_test.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -210,6 +210,10 @@ func TestPoliciesLookup(t *testing.T) { operation: "/controlplane.v1.OrgMetricsService", wantErr: true, }, + { + name: "contract apply operation found", + operation: "/controlplane.v1.WorkflowContractService/Apply", + }, } for _, tc := range testCases { @@ -224,3 +228,9 @@ func TestPoliciesLookup(t *testing.T) { }) } } + +func TestPoliciesLookupContractApply(t *testing.T) { + policies, err := policiesLookup("/controlplane.v1.WorkflowContractService/Apply") + assert.NoError(t, err) + assert.Equal(t, []*authz.Policy{authz.PolicyWorkflowContractCreate, authz.PolicyWorkflowContractUpdate}, policies) +}