diff --git a/app/controlplane/internal/service/cascredential.go b/app/controlplane/internal/service/cascredential.go index 13108feb3..4ec74786d 100644 --- a/app/controlplane/internal/service/cascredential.go +++ b/app/controlplane/internal/service/cascredential.go @@ -58,10 +58,7 @@ func (s *CASCredentialsService) Get(ctx context.Context, req *pb.CASCredentialsS } // Internal platform traffic can be flagged so the CAS skips audit event emission for it - sourceInternal, err := resolveSourceInternal(req.GetSourceInternal(), currentAPIToken) - if err != nil { - return nil, err - } + sourceInternal := resolveSourceInternal(req.GetSourceInternal(), currentAPIToken) currentOrg, err := requireCurrentOrg(ctx) if err != nil { @@ -167,17 +164,12 @@ func (s *CASCredentialsService) Get(ctx context.Context, req *pb.CASCredentialsS }, nil } -// resolveSourceInternal returns whether the minted CAS token must be flagged as internal -// platform traffic. Only system API tokens can request it since they are minted exclusively -// by internal code paths; any other caller asking for it is rejected. -func resolveSourceInternal(requested bool, token *entities.APIToken) (bool, error) { - if !requested { - return false, nil - } - - if token == nil || !token.IsSystem { - return false, errors.Forbidden("forbidden", "source_internal is restricted to system API tokens") - } - - return true, nil +// resolveSourceInternal returns whether the minted CAS token should be flagged as internal +// platform traffic. It is only flagged when a system API token explicitly requests it, since +// these tokens are minted exclusively by internal code paths. +// +// This is best-effort: any other caller requesting it (for example an outdated system whose +// token store does not yet mark its tokens as system) is simply not flagged rather than rejected. +func resolveSourceInternal(requested bool, token *entities.APIToken) bool { + return requested && token != nil && token.IsSystem } diff --git a/app/controlplane/internal/service/cascredential_test.go b/app/controlplane/internal/service/cascredential_test.go index 04a4c54f1..df08a58a8 100644 --- a/app/controlplane/internal/service/cascredential_test.go +++ b/app/controlplane/internal/service/cascredential_test.go @@ -19,9 +19,7 @@ import ( "testing" "github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext/entities" - "github.com/go-kratos/kratos/v2/errors" "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" ) func TestResolveSourceInternal(t *testing.T) { @@ -30,7 +28,6 @@ func TestResolveSourceInternal(t *testing.T) { requested bool token *entities.APIToken want bool - wantErr bool }{ { name: "not requested, no token (user auth)", @@ -57,29 +54,24 @@ func TestResolveSourceInternal(t *testing.T) { want: true, }, { - name: "requested by regular API token is forbidden", + // best-effort: a non-system token requesting it is ignored, not rejected, + // to tolerate outdated systems whose tokens are not yet marked as system + name: "requested by regular API token falls back to false", requested: true, token: &entities.APIToken{}, - wantErr: true, + want: false, }, { - name: "requested by user auth is forbidden", + name: "requested by user auth falls back to false", requested: true, token: nil, - wantErr: true, + want: false, }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - got, err := resolveSourceInternal(tc.requested, tc.token) - if tc.wantErr { - require.Error(t, err) - assert.True(t, errors.IsForbidden(err)) - return - } - - require.NoError(t, err) + got := resolveSourceInternal(tc.requested, tc.token) assert.Equal(t, tc.want, got) }) }