fix(rbac): inherit group roles in referrer and casredirect services

app/controlplane/pkg/biz/casmapping.go

@@ -52,14 +52,13 @@ type CASMappingRepo interface {
 }
 
 type CASMappingUseCase struct {
-	repo           CASMappingRepo
-	membershipRepo MembershipRepo
-	projectsRepo   ProjectsRepo
-	logger         *log.Helper
+	repo         CASMappingRepo
+	membershipUC *MembershipUseCase
+	logger       *log.Helper
 }
 
-func NewCASMappingUseCase(repo CASMappingRepo, mRepo MembershipRepo, pRepo ProjectsRepo, logger log.Logger) *CASMappingUseCase {
-	return &CASMappingUseCase{repo, mRepo, pRepo, servicelogger.ScopedHelper(logger, "cas-mapping-usecase")}
+func NewCASMappingUseCase(repo CASMappingRepo, membershipUC *MembershipUseCase, logger log.Logger) *CASMappingUseCase {
+	return &CASMappingUseCase{repo, membershipUC, servicelogger.ScopedHelper(logger, "cas-mapping-usecase")}
 }
 
 type CASMappingCreateOpts struct {
@@ -99,7 +98,7 @@ func (uc *CASMappingUseCase) FindCASMappingForDownloadByUser(ctx context.Context
 		return nil, NewErrInvalidUUID(err)
 	}
 
-	userOrgs, projectIDs, err := getOrgsAndRBACInfoForUser(ctx, userUUID, uc.membershipRepo, uc.projectsRepo)
+	userOrgs, projectIDs, err := uc.membershipUC.GetOrgsAndRBACInfoForUser(ctx, userUUID)
 	if err != nil {
 		return nil, err
 	}

app/controlplane/pkg/biz/casmapping_test.go

@@ -162,7 +162,7 @@ type casMappingSuite struct {
 
 func (s *casMappingSuite) SetupTest() {
 	s.repo = repoM.NewCASMappingRepo(s.T())
-	s.useCase = biz.NewCASMappingUseCase(s.repo, nil, nil, nil)
+	s.useCase = biz.NewCASMappingUseCase(s.repo, nil, nil)
 }
 
 func TestCASMapping(t *testing.T) {

app/controlplane/pkg/biz/membership.go

@@ -361,9 +361,9 @@ func (uc *MembershipUseCase) SetProjectOwner(ctx context.Context, orgID, project
 	return nil
 }
 
-func getOrgsAndRBACInfoForUser(ctx context.Context, userID uuid.UUID, mRepo MembershipRepo, pRepo ProjectsRepo) ([]uuid.UUID, map[uuid.UUID][]uuid.UUID, error) {
+func (uc *MembershipUseCase) GetOrgsAndRBACInfoForUser(ctx context.Context, userID uuid.UUID) ([]uuid.UUID, map[uuid.UUID][]uuid.UUID, error) {
 	// Load ALL memberships for the given user
-	memberships, err := mRepo.ListAllByUser(ctx, userID)
+	memberships, err := uc.ListAllMembershipsForUser(ctx, userID)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to list memberships: %w", err)
 	}
@@ -376,13 +376,9 @@ func getOrgsAndRBACInfoForUser(ctx context.Context, userID uuid.UUID, mRepo Memb
 			userOrgs = append(userOrgs, m.ResourceID)
 			// If the role in the org is member, we must enable RBAC for projects.
 			if m.Role == authz.RoleOrgMember {
-				// get list of projects in org, and match it with the memberships to build a filter
-				orgProjects, err := getProjectsWithMembership(ctx, pRepo, m.ResourceID, memberships)
-				if err != nil {
-					return nil, nil, err
-				}
+				// get the list of projects in org, and match it with the memberships to build a filter.
 				// note that appending an empty slice to a nil slice doesn't change it (it's still nil)
-				projectIDs[m.ResourceID] = orgProjects
+				projectIDs[m.ResourceID] = getProjectsWithMembershipInOrg(m.ResourceID, memberships)
 			}
 		}
 	}

app/controlplane/pkg/biz/project.go

@@ -18,7 +18,6 @@ package biz
 import (
 	"context"
 	"fmt"
-	"slices"
 	"time"
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/auditor/events"
@@ -649,21 +648,15 @@ func (uc *ProjectUseCase) verifyRequesterHasPermissions(ctx context.Context, org
 }
 
 // getProjectsWithMembership returns the list of project IDs in the org for which the user has a membership
-func getProjectsWithMembership(ctx context.Context, projectsRepo ProjectsRepo, orgID uuid.UUID, memberships []*Membership) ([]uuid.UUID, error) {
+func getProjectsWithMembershipInOrg(orgID uuid.UUID, memberships []*Membership) []uuid.UUID {
 	ids := make([]uuid.UUID, 0)
-	projects, err := projectsRepo.ListProjectsByOrgID(ctx, orgID)
-	if err != nil {
-		return nil, fmt.Errorf("listing projects: %w", err)
-	}
-	for _, p := range projects {
-		if slices.ContainsFunc(memberships, func(m *Membership) bool {
-			return m.ResourceType == authz.ResourceTypeProject && m.ResourceID == p.ID
-		}) {
-			ids = append(ids, p.ID)
+	for _, m := range memberships {
+		if m.ResourceType == authz.ResourceTypeProject && m.OrganizationID == orgID {
+			ids = append(ids, m.ResourceID)
 		}
 	}
 
-	return ids, nil
+	return ids
 }
 
 // UpdateMemberRole updates the role of a user or group in a project.

app/controlplane/pkg/biz/referrer.go

@@ -35,15 +35,14 @@ import (
 )
 
 type ReferrerUseCase struct {
-	repo           ReferrerRepo
-	membershipRepo MembershipRepo
-	workflowRepo   WorkflowRepo
-	projectsRepo   ProjectsRepo
-	logger         *log.Helper
-	indexConfig    *conf.ReferrerSharedIndex
+	repo              ReferrerRepo
+	membershipUseCase *MembershipUseCase
+	workflowRepo      WorkflowRepo
+	logger            *log.Helper
+	indexConfig       *conf.ReferrerSharedIndex
 }
 
-func NewReferrerUseCase(repo ReferrerRepo, wfRepo WorkflowRepo, mRepo MembershipRepo, projectsRepo ProjectsRepo, indexCfg *conf.ReferrerSharedIndex, l log.Logger) (*ReferrerUseCase, error) {
+func NewReferrerUseCase(repo ReferrerRepo, wfRepo WorkflowRepo, membershipUseCase *MembershipUseCase, indexCfg *conf.ReferrerSharedIndex, l log.Logger) (*ReferrerUseCase, error) {
 	if l == nil {
 		l = log.NewStdLogger(io.Discard)
 	}
@@ -60,12 +59,11 @@ func NewReferrerUseCase(repo ReferrerRepo, wfRepo WorkflowRepo, mRepo Membership
 	}
 
 	return &ReferrerUseCase{
-		repo:           repo,
-		membershipRepo: mRepo,
-		indexConfig:    indexCfg,
-		workflowRepo:   wfRepo,
-		projectsRepo:   projectsRepo,
-		logger:         logger,
+		repo:              repo,
+		membershipUseCase: membershipUseCase,
+		indexConfig:       indexCfg,
+		workflowRepo:      wfRepo,
+		logger:            logger,
 	}, nil
 }
 
@@ -172,7 +170,7 @@ func (s *ReferrerUseCase) GetFromRootUser(ctx context.Context, digest, rootKind,
 		return nil, NewErrInvalidUUID(err)
 	}
 
-	userOrgs, projectIDs, err := getOrgsAndRBACInfoForUser(ctx, userUUID, s.membershipRepo, s.projectsRepo)
+	userOrgs, projectIDs, err := s.membershipUseCase.GetOrgsAndRBACInfoForUser(ctx, userUUID)
 	if err != nil {
 		return nil, err
 	}

app/controlplane/pkg/biz/referrer_integration_test.go

@@ -87,7 +87,7 @@ func (s *referrerIntegrationTestSuite) TestGetFromRootInPublicSharedIndex() {
 	})
 
 	s.T().Run("it should appear if we whitelist org2", func(t *testing.T) {
-		uc, err := biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Repos.Membership, nil,
+		uc, err := biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Membership,
 			&conf.ReferrerSharedIndex{
 				Enabled:     true,
 				AllowedOrgs: []string{s.org2.ID},
@@ -463,7 +463,7 @@ func (s *referrerIntegrationTestSuite) SetupTest() {
 	_, err = s.Membership.Create(ctx, s.org2.ID, s.user2.ID, biz.WithCurrentMembership())
 	require.NoError(s.T(), err)
 
-	s.sharedEnabledUC, err = biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Repos.Membership, nil,
+	s.sharedEnabledUC, err = biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Membership,
 		&conf.ReferrerSharedIndex{
 			Enabled:     true,
 			AllowedOrgs: []string{s.org1.ID},

app/controlplane/pkg/biz/referrer_test.go

@@ -70,7 +70,7 @@ func (s *referrerTestSuite) TestInitialization() {
 
 	for _, tc := range testCases {
 		s.T().Run(tc.name, func(t *testing.T) {
-			_, err := NewReferrerUseCase(nil, nil, nil, nil, tc.conf, nil)
+			_, err := NewReferrerUseCase(nil, nil, nil, tc.conf, nil)
 			if tc.wantErrMsg != "" {
 				assert.EqualError(t, err, tc.wantErrMsg)
 			} else {