feat(rbac): RBAC foundation

app/cli/cmd/organization_invitation_create.go

@@ -54,7 +54,7 @@ func newOrganizationInvitationCreateCmd() *cobra.Command {
 	cmd.Flags().StringVar(&receiverEmail, "receiver", "", "Email of the user to invite")
 	err := cmd.MarkFlagRequired("receiver")
 
-	cmd.Flags().StringVar(&role, "role", string(action.RoleViewer), fmt.Sprintf("Role of the user in the organization, available %s", action.AvailableRoles))
+	cmd.Flags().StringVar(&role, "role", string(action.RoleViewer), fmt.Sprintf("Role of the user in the organization, available %s", action.AvailableRoles[:3]))
 	cobra.CheckErr(err)
 
 	return cmd

app/cli/cmd/organization_member_update.go

@@ -54,7 +54,7 @@ func newOrganizationMemberUpdateCmd() *cobra.Command {
 	err := cmd.MarkFlagRequired("id")
 	cobra.CheckErr(err)
 
-	cmd.Flags().StringVar(&role, "role", string(action.RoleViewer), fmt.Sprintf("Role of the user in the organization, available %s", action.AvailableRoles))
+	cmd.Flags().StringVar(&role, "role", string(action.RoleViewer), fmt.Sprintf("Role of the user in the organization, available %s", action.AvailableRoles[:3]))
 	cobra.CheckErr(err)
 
 	return cmd

app/cli/internal/action/membership_list.go

@@ -117,6 +117,7 @@ const (
 	RoleAdmin  Role = "admin"
 	RoleOwner  Role = "owner"
 	RoleViewer Role = "viewer"
+	RoleMember Role = "member"
 )
 
 type Roles []Role
@@ -125,6 +126,7 @@ var AvailableRoles = Roles{
 	RoleAdmin,
 	RoleOwner,
 	RoleViewer,
+	RoleMember,
 }
 
 func (roles Roles) String() string {
@@ -143,6 +145,8 @@ func pbRoleToString(role pb.MembershipRole) Role {
 		return RoleViewer
 	case pb.MembershipRole_MEMBERSHIP_ROLE_ORG_OWNER:
 		return RoleOwner
+	case pb.MembershipRole_MEMBERSHIP_ROLE_ORG_MEMBER:
+		return RoleMember
 	}
 	return ""
 }
@@ -155,6 +159,8 @@ func stringToPbRole(role Role) pb.MembershipRole {
 		return pb.MembershipRole_MEMBERSHIP_ROLE_ORG_VIEWER
 	case RoleOwner:
 		return pb.MembershipRole_MEMBERSHIP_ROLE_ORG_OWNER
+	case RoleMember:
+		return pb.MembershipRole_MEMBERSHIP_ROLE_ORG_MEMBER
 	}
 	return pb.MembershipRole_MEMBERSHIP_ROLE_UNSPECIFIED
 }

app/controlplane/api/controlplane/v1/response_messages.proto

@@ -241,6 +241,7 @@ enum MembershipRole {
   MEMBERSHIP_ROLE_ORG_VIEWER = 1;
   MEMBERSHIP_ROLE_ORG_ADMIN = 2;
   MEMBERSHIP_ROLE_ORG_OWNER = 3;
+  MEMBERSHIP_ROLE_ORG_MEMBER = 4;
 }
 
 message OrgItem {

app/controlplane/cmd/wire.go

@@ -90,9 +90,11 @@ func newPolicyProviderConfig(in []*conf.PolicyProvider) []*policies.NewRegistryC
 	return out
 }
 
-func serviceOpts(l log.Logger) []service.NewOpt {
+func serviceOpts(l log.Logger, enforcer *authz.Enforcer, pUC *biz.ProjectUseCase) []service.NewOpt {
 	return []service.NewOpt{
 		service.WithLogger(l),
+		service.WithEnforcer(enforcer),
+		service.WithProjectUseCase(pUC),
 	}
 }
 

app/controlplane/internal/dispatcher/dispatcher.go

@@ -24,6 +24,7 @@ import (
 	"time"
 
 	crv1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/uuid"
 
 	"github.com/cenkalti/backoff/v4"
 
@@ -146,7 +147,12 @@ func (d *FanOutDispatcher) initDispatchQueue(ctx context.Context, orgID, workflo
 	queue := dispatchQueue{}
 
 	// List enabled integrations with this workflow
-	attachments, err := d.integrationUC.ListAttachments(ctx, orgID, workflowID)
+	wfUUID, err := uuid.Parse(workflowID)
+	if err != nil {
+		return nil, fmt.Errorf("parsing workflow ID: %w", err)
+	}
+
+	attachments, err := d.integrationUC.ListAttachments(ctx, orgID, &biz.ListAttachmentsOpts{WorkflowID: &wfUUID})
 	if err != nil {
 		return nil, fmt.Errorf("listing attachments: %w", err)
 	}

app/controlplane/internal/server/grpc.go

@@ -60,6 +60,7 @@ type Opts struct {
 	APITokenUseCase     *biz.APITokenUseCase
 	OrganizationUseCase *biz.OrganizationUseCase
 	WorkflowUseCase     *biz.WorkflowUseCase
+	MembershipUseCase   *biz.MembershipUseCase
 	// Services
 	WorkflowSvc         *service.WorkflowService
 	AuthSvc             *service.AuthService
@@ -188,7 +189,7 @@ func craftMiddleware(opts *Opts) []middleware.Middleware {
 			usercontext.WithCurrentUserMiddleware(opts.UserUseCase, logHelper),
 			selector.Server(
 				// 2.c - Set its organization
-				usercontext.WithCurrentOrganizationMiddleware(opts.UserUseCase, logHelper),
+				usercontext.WithCurrentOrganizationMiddleware(opts.UserUseCase, opts.MembershipUseCase, logHelper),
 				// 3 - Check user/token authorization
 				authzMiddleware.WithAuthzMiddleware(opts.Enforcer, logHelper),
 			).Match(requireAllButOrganizationOperationsMatcher()).Build(),
@@ -223,7 +224,7 @@ func craftMiddleware(opts *Opts) []middleware.Middleware {
 			// 2.b - Set its API token and Robot Account as alternative to the user
 			usercontext.WithAttestationContextFromAPIToken(opts.APITokenUseCase, opts.OrganizationUseCase, logHelper),
 			// 2.c - Set Attestation context from user token
-			usercontext.WithAttestationContextFromUser(opts.UserUseCase, logHelper),
+			usercontext.WithAttestationContextFromUser(opts.UserUseCase, opts.MembershipUseCase, logHelper),
 			// 2.d - Set its robot account from federated delegation
 			usercontext.WithAttestationContextFromFederatedInfo(opts.OrganizationUseCase, logHelper),
 		).Match(requireRobotAccountMatcher()).Build(),