feat(RBAC): enable project-scoped API tokens

[migmartri]

This PR continues with project-scoped API tokens #2130

• Stores additional information in the token such as the projectID, projectName if applicable
• Updates the new rbac primitives to take into account this data during both filtering and enforcement.
• System-level API tokens work the same way. The new Project-level API tokens are the ones that go through the RBAC check in the service layer.

I tested it locally performing both attestations and regular operations with admin tokens or scoped tokens, for example this is what you get when you try to perform an attestation with a token from another project.

chainloop att init --name test-annotations --project project-sarah  --replace --token $CHAINLOOP_TOKEN

ERR operation not allowed: This auth token is valid only with the project "project-john"

closes #2130

[jiparis]

doesn't &options.project.ID work?

[migmartri]

it does, I was just using one way of doing it tbh, a little bit pointless it's true

[jiparis]

Thanks, I like it. Basically "RBAC" for API tokens will be enabled only if the token has a "ProjectID" claim, right?

[jiparis]

If the token has a ProjectID, is this change checking that the ProjectID in the database is the same?

[migmartri]

mm, it is not, let me add it

[migmartri]

Good catch, I was using the projectID from the DB when in reality we need to use the one from the token.

Now I check that both match

[migmartri]

Thanks, I like it. Basically "RBAC" for API tokens will be enabled only if the token has a "ProjectID" claim, right?

That's correct