Skip to content

feat(rbac): contributor role #2271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 29 commits into from
Jul 21, 2025
Merged

feat(rbac): contributor role #2271

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
da766c9
IsAdmin method
jiparis Jul 15, 2025
765b766
rbacenabled
jiparis Jul 15, 2025
44c7bbf
Merge branch 'main' into PFM-3322-newrole
jiparis Jul 16, 2025
bc3b438
contributor role, projectcreate permission
jiparis Jul 16, 2025
acf8c14
Merge branch 'main' into PFM-3322-newrole
jiparis Jul 16, 2025
a0257db
update protos and regenerate
jiparis Jul 16, 2025
37918d2
fix roles for membership
jiparis Jul 16, 2025
95b8caa
memberships only available to admins. group memberships also to maint…
jiparis Jul 17, 2025
5384317
expose roles to CLI
jiparis Jul 17, 2025
ebf9f48
support role in update endpoint
jiparis Jul 17, 2025
90ca06f
project admins inherit from project viewer
jiparis Jul 17, 2025
de580a9
fix test
jiparis Jul 17, 2025
41b43f3
apply RBAC in GetContract
jiparis Jul 17, 2025
686af7e
fix project creatino permission
jiparis Jul 17, 2025
31a555c
fix api tokens
jiparis Jul 17, 2025
6422d3a
use helper
jiparis Jul 17, 2025
fc3c406
Merge branch 'main' into PFM-3322-newrole
jiparis Jul 17, 2025
4b49bdb
merge main
jiparis Jul 17, 2025
123c29d
restore file
jiparis Jul 17, 2025
7788734
remove permission from member
jiparis Jul 17, 2025
702c5bc
remove apitokenlist from viewer
jiparis Jul 17, 2025
ffc4224
Merge branch 'main' into PFM-3322-newrole
jiparis Jul 18, 2025
63e66ef
make linter happy
jiparis Jul 18, 2025
97d85d9
Merge branch 'main' into PFM-3322-newrole
jiparis Jul 18, 2025
029327f
allow eveyone to see visible projects attached to groups
jiparis Jul 18, 2025
0298e53
remove duplicated policy
jiparis Jul 18, 2025
90ebdf1
remove unused roles
jiparis Jul 19, 2025
4c4b19d
remove commented out code
jiparis Jul 21, 2025
ff66bb0
fix comment
jiparis Jul 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions app/cli/internal/action/membership_list.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,10 +162,11 @@ func pbMembershipItemToAction(in *pb.OrgMembershipItem) *MembershipItem {
type Role string

const (
RoleAdmin Role = "admin"
RoleOwner Role = "owner"
RoleViewer Role = "viewer"
RoleMember Role = "member"
RoleAdmin Role = "admin"
RoleOwner Role = "owner"
RoleViewer Role = "viewer"
RoleMember Role = "member"
RoleContributor Role = "contributor"
)

type Roles []Role
Expand All @@ -175,6 +176,7 @@ var AvailableRoles = Roles{
RoleOwner,
RoleViewer,
RoleMember,
RoleContributor,
}

func (roles Roles) String() string {
Expand All @@ -195,6 +197,8 @@ func pbRoleToString(role pb.MembershipRole) Role {
return RoleOwner
case pb.MembershipRole_MEMBERSHIP_ROLE_ORG_MEMBER:
return RoleMember
case pb.MembershipRole_MEMBERSHIP_ROLE_ORG_CONTRIBUTOR:
return RoleContributor
}
return ""
}
Expand All @@ -209,6 +213,8 @@ func stringToPbRole(role Role) pb.MembershipRole {
return pb.MembershipRole_MEMBERSHIP_ROLE_ORG_OWNER
case RoleMember:
return pb.MembershipRole_MEMBERSHIP_ROLE_ORG_MEMBER
case RoleContributor:
return pb.MembershipRole_MEMBERSHIP_ROLE_ORG_CONTRIBUTOR
}
return pb.MembershipRole_MEMBERSHIP_ROLE_UNSPECIFIED
}
99 changes: 52 additions & 47 deletions app/controlplane/api/controlplane/v1/response_messages.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions app/controlplane/api/controlplane/v1/response_messages.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,7 @@ enum MembershipRole {
MEMBERSHIP_ROLE_ORG_ADMIN = 2;
MEMBERSHIP_ROLE_ORG_OWNER = 3;
MEMBERSHIP_ROLE_ORG_MEMBER = 4;
MEMBERSHIP_ROLE_ORG_CONTRIBUTOR = 5;
}

message OrgItem {
Expand Down
6 changes: 6 additions & 0 deletions app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion app/controlplane/api/gen/jsonschema/controlplane.v1.OrgInvitationItem.jsonschema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion app/controlplane/api/gen/jsonschema/controlplane.v1.OrgInvitationItem.schema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion ...lane/api/gen/jsonschema/controlplane.v1.OrgInvitationServiceCreateRequest.jsonschema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion ...rolplane/api/gen/jsonschema/controlplane.v1.OrgInvitationServiceCreateRequest.schema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion app/controlplane/api/gen/jsonschema/controlplane.v1.OrgMembershipItem.jsonschema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion app/controlplane/api/gen/jsonschema/controlplane.v1.OrgMembershipItem.schema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion .../gen/jsonschema/controlplane.v1.OrganizationServiceListMembershipsRequest.jsonschema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion .../api/gen/jsonschema/controlplane.v1.OrganizationServiceListMembershipsRequest.schema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion ...gen/jsonschema/controlplane.v1.OrganizationServiceUpdateMembershipRequest.jsonschema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion ...api/gen/jsonschema/controlplane.v1.OrganizationServiceUpdateMembershipRequest.schema.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 11 additions & 1 deletion app/controlplane/internal/service/attestation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,12 @@ func (s *AttestationService) GetContract(ctx context.Context, req *cpAPI.Attesta
return nil, errors.NotFound("not found", "contract not found")
}

// If contract is private, check we have permissions on the project
scopedEntity := contractVersion.Contract.ScopedEntity
if rbacEnabled(ctx) && contractVersion.Contract.IsProjectScoped() && scopedEntity.ID != wf.ProjectID {
return nil, errors.NotFound("not found", "contract not found")
}

resp := &cpAPI.AttestationServiceGetContractResponse_Result{
Workflow: bizWorkflowToPb(wf),
Contract: bizWorkFlowContractVersionToPb(contractVersion.Version),
Expand Down Expand Up @@ -674,10 +680,14 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP

// try to load project and apply RBAC if needed
if _, err := s.userHasPermissionOnProject(ctx, apiToken.OrgID, &cpAPI.IdentityReference{Name: &req.ProjectName}, authz.PolicyWorkflowCreate); err != nil {
// if the project is not found, we ignore the error, since we'll create the project in this call
// if the project is not found, check if user can create projects
if !errors.IsNotFound(err) {
return nil, err
}

if err = s.userCanCreateProject(ctx); err != nil {
return nil, err
}
}

// we need this token to forward it to the provider service next
Expand Down
2 changes: 1 addition & 1 deletion app/controlplane/internal/service/cascredential.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func (s *CASCredentialsService) Get(ctx context.Context, req *pb.CASCredentialsS

if mapping != nil {
backend = mapping.CASBackend
} else if currentAuthzSubject == string(authz.RoleAdmin) || currentAuthzSubject == string(authz.RoleOwner) {
} else if authz.Role(currentAuthzSubject).IsAdmin() {
// fallback to default mapping for admins
backend = defaultBackend
}
Expand Down
7 changes: 6 additions & 1 deletion app/controlplane/internal/service/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,10 @@ func (g *GroupService) ListMembers(ctx context.Context, req *pb.GroupServiceList
RequesterID: requesterUUID,
}

if err = g.userHasPermissionOnGroupMembershipsWithPolicy(ctx, currentOrg.ID, req.GetGroupReference(), authz.PolicyGroupListMemberships); err != nil {
return nil, err
}

// Parse groupID and groupName from the request
opts.ID, opts.Name, err = req.GetGroupReference().Parse()
if err != nil {
Expand Down Expand Up @@ -509,6 +513,7 @@ func (g *GroupService) ListProjects(ctx context.Context, req *pb.GroupServiceLis
orgUUID, err := uuid.Parse(currentOrg.ID)
if err != nil {
return nil, errors.BadRequest("invalid", "invalid organization ID")

}

// Parse groupID and groupName from the request
Expand Down Expand Up @@ -585,7 +590,7 @@ func (g *GroupService) userHasPermissionOnGroupMembershipsWithPolicy(ctx context
}

// Allow if user has admin or owner role
if userRole == string(authz.RoleAdmin) || userRole == string(authz.RoleOwner) {
if authz.Role(userRole).IsAdmin() {
return nil
}

Expand Down
Loading
Loading