refactor(authz): replace admin role check with policy-based authorization for default backend access (#2741)

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>

Author: migmartri

app/controlplane/internal/service/cascredential.go

@@ -117,20 +117,23 @@ func (s *CASCredentialsService) Get(ctx context.Context, req *pb.CASCredentialsS
 				projectIDs[orgID] = []uuid.UUID{*currentAPIToken.ProjectID}
 			}
 			mapping, err = s.casMappingUC.FindCASMappingForDownloadByOrg(ctx, req.Digest, []uuid.UUID{orgID}, projectIDs)
-		}
-
-		if err != nil && !biz.IsNotFound(err) {
-			if biz.IsErrValidation(err) {
-				return nil, errors.BadRequest("invalid", err.Error())
+			if err != nil && !biz.IsNotFound(err) {
+				if biz.IsErrValidation(err) {
+					return nil, errors.BadRequest("invalid", err.Error())
+				}
+				return nil, handleUseCaseErr(err, s.log)
 			}
-			return nil, handleUseCaseErr(err, s.log)
 		}
 
 		if mapping != nil {
 			backend = mapping.CASBackend
-		} else if authz.Role(currentAuthzSubject).IsAdmin() {
-			// fallback to default mapping for admins
-			backend = defaultBackend
+		} else {
+			// fallback to default backend if the user or the token is allowed to
+			if ok, err := s.authzUC.Enforce(ctx, currentAuthzSubject, authz.PolicyDefaultBackendArtifactRead); err != nil {
+				return nil, handleUseCaseErr(err, s.log)
+			} else if ok {
+				backend = defaultBackend
+			}
 		}
 	case casJWT.Uploader:
 		backend = defaultBackend

app/controlplane/pkg/authz/authz.go

@@ -63,6 +63,7 @@ const (
 	ResourceAPIToken                = "api_token"
 	ResourceProjectMembership       = "project_membership"
 	ResourceOrganizationInvitations = "organization_invitations"
+	ResourceDefaultBackend          = "default_backend"
 
 	// Top level instance admin role
 	// this is used to know if an user is a super admin of the chainloop instance
@@ -107,6 +108,8 @@ var (
 	// Artifact
 	PolicyArtifactDownload = &Policy{ResourceCASArtifact, ActionRead}
 	PolicyArtifactUpload   = &Policy{ResourceCASArtifact, ActionCreate}
+	// Being able to read from the default backend
+	PolicyDefaultBackendArtifactRead = &Policy{ResourceDefaultBackend, ActionRead}
 	// CAS backend
 	PolicyCASBackendList   = &Policy{ResourceCASBackend, ActionList}
 	PolicyCASBackendUpdate = &Policy{ResourceCASBackend, ActionUpdate}
@@ -198,6 +201,8 @@ var RolesMap = map[Role][]*Policy{
 		PolicyArtifactUpload,
 		// We manually check this policy to be able to know if the user can invite users to the system
 		PolicyOrganizationInvitationsCreate,
+		// Being able to read from the default backend
+		PolicyDefaultBackendArtifactRead,
 		// + all the policies from the viewer role inherited automatically
 	},
 	// RoleViewer is an org-scoped role that provides read-only access to all resources