feat(crafting-schema): add organization resolver (#2465)

Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>

Author: Piskoo

app/controlplane/internal/usercontext/currentorganization_middleware.go

@@ -17,13 +17,15 @@ package usercontext
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"time"
 
 	v1 "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext/entities"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
+	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/unmarshal"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/go-kratos/kratos/v2/middleware"
 	"github.com/google/uuid"
@@ -68,8 +70,15 @@ func WithCurrentOrganizationMiddleware(userUseCase biz.UserOrgFinder, logger *lo
 				return nil, fmt.Errorf("error getting organization name: %w", err)
 			}
 
+			// Extract organization from resource metadata, takes precedence over header
+			if orgFromResource, err := getFromResource(req); err != nil {
+				return nil, fmt.Errorf("organization from resource: %w", err)
+			} else if orgFromResource != "" {
+				orgName = orgFromResource
+			}
+
 			if orgName != "" {
-				ctx, err = setCurrentOrganizationFromHeader(ctx, u, orgName, userUseCase)
+				ctx, err = setCurrentMembershipFromOrgName(ctx, u, orgName, userUseCase)
 				if err != nil {
 					return nil, v1.ErrorUserNotMemberOfOrgErrorNotInOrg("user is not a member of organization %s", orgName)
 				}
@@ -131,7 +140,7 @@ func ResetMembershipsCache() {
 	membershipsCache.Purge()
 }
 
-func setCurrentOrganizationFromHeader(ctx context.Context, user *entities.User, orgName string, userUC biz.UserOrgFinder) (context.Context, error) {
+func setCurrentMembershipFromOrgName(ctx context.Context, user *entities.User, orgName string, userUC biz.UserOrgFinder) (context.Context, error) {
 	membership, err := userUC.MembershipInOrg(ctx, user.ID, orgName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to find membership: %w", err)
@@ -166,3 +175,72 @@ func setCurrentOrganizationFromDB(ctx context.Context, user *entities.User, user
 
 	return ctx, nil
 }
+
+// Gets organization from resource metadata
+// The metadata organization field acts as a namespace for organization resources
+func getFromResource(req interface{}) (string, error) {
+	if req == nil {
+		return "", nil
+	}
+
+	switch v := req.(type) {
+	case *v1.WorkflowContractServiceCreateRequest, *v1.WorkflowContractServiceUpdateRequest:
+		return extractOrg(v)
+	}
+
+	return "", nil
+}
+
+type ResourceBase struct {
+	Metadata struct {
+		Organization string `json:"organization"`
+	} `json:"metadata"`
+}
+
+// Extracts organization from request with raw contract data
+func extractOrg(req interface{}) (string, error) {
+	// Get raw data
+	rawData, err := getRawData(req)
+	if err != nil {
+		return "", err
+	}
+
+	if len(rawData) == 0 {
+		return "", nil
+	}
+
+	// Identify format
+	format, err := unmarshal.IdentifyFormat(rawData)
+	if err != nil {
+		return "", err
+	}
+
+	jsonData, err := unmarshal.LoadJSONBytes(rawData, "."+string(format))
+	if err != nil {
+		return "", err
+	}
+
+	// Unmarshal to extract organization
+	var resourceBase ResourceBase
+	if err := json.Unmarshal(jsonData, &resourceBase); err != nil {
+		// If unmarshaling fails, return empty string (no error)
+		// This allows old format schemas to work without the metadata field
+		return "", nil
+	}
+
+	return resourceBase.Metadata.Organization, nil
+}
+
+type RequestWithRawContract interface {
+	GetRawContract() []byte
+}
+
+// Extracts raw data
+func getRawData(req interface{}) ([]byte, error) {
+	// Check if the request implements RequestWithRawContract
+	if rawContractReq, ok := req.(RequestWithRawContract); ok {
+		return rawContractReq.GetRawContract(), nil
+	}
+
+	return nil, fmt.Errorf("request does not have raw contract")
+}

app/controlplane/internal/usercontext/currentorganization_middleware_test.go

@@ -20,6 +20,7 @@ import (
 	"io"
 	"testing"
 
+	v1 "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext/entities"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/authz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
@@ -29,6 +30,7 @@ import (
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestWithCurrentOrganizationMiddleware(t *testing.T) {
@@ -102,3 +104,138 @@ func TestWithCurrentOrganizationMiddleware(t *testing.T) {
 		})
 	}
 }
+
+func TestGetFromResourceWorkflowContract(t *testing.T) {
+	tests := []struct {
+		name          string
+		rawContract   []byte
+		expectedOrg   string
+		expectedError bool
+	}{
+		{
+			name: "valid contract with organization in metadata",
+			rawContract: []byte(`apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: test-contract
+  organization: test-org
+spec:
+  materials:
+    - name: my-image
+      type: CONTAINER_IMAGE`),
+			expectedOrg:   "test-org",
+			expectedError: false,
+		},
+		{
+			name: "valid contract without organization",
+			rawContract: []byte(`apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: test-contract
+spec:
+  materials:
+    - name: my-image
+      type: CONTAINER_IMAGE`),
+			expectedOrg:   "",
+			expectedError: false,
+		},
+		{
+			name: "JSON format contract with organization",
+			rawContract: []byte(`{
+  "apiVersion": "chainloop.dev/v1",
+  "kind": "Contract",
+  "metadata": {
+    "name": "test-contract",
+    "organization": "json-org"
+  },
+  "spec": {
+    "materials": [
+      {
+        "name": "my-image",
+        "type": "CONTAINER_IMAGE"
+      }
+    ]
+  }
+}`),
+			expectedOrg:   "json-org",
+			expectedError: false,
+		},
+		{
+			name:          "empty raw contract",
+			rawContract:   []byte{},
+			expectedOrg:   "",
+			expectedError: false,
+		},
+		{
+			name:          "nil raw contract",
+			rawContract:   nil,
+			expectedOrg:   "",
+			expectedError: false,
+		},
+		{
+			name: "old schema format (CraftingSchema) - no organization field",
+			rawContract: []byte(`schemaVersion: v1
+materials:
+  - name: my-image
+    type: CONTAINER_IMAGE
+runner:
+  type: GITHUB_ACTION`),
+			expectedOrg:   "",
+			expectedError: false,
+		},
+		{
+			name: "old schema format JSON - no organization field",
+			rawContract: []byte(`{
+  "schemaVersion": "v1",
+  "materials": [
+    {
+      "name": "my-image",
+      "type": "CONTAINER_IMAGE"
+    }
+  ],
+  "runner": {
+    "type": "GITHUB_ACTION"
+  }
+}`),
+			expectedOrg:   "",
+			expectedError: false,
+		},
+		{
+			name: "invalid format",
+			rawContract: []byte(`invalid yaml content
+			this is not parseable`),
+			expectedOrg:   "",
+			expectedError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test with CreateRequest
+			createReq := &v1.WorkflowContractServiceCreateRequest{
+				RawContract: tt.rawContract,
+			}
+
+			org, err := getFromResource(createReq)
+			if tt.expectedError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tt.expectedOrg, org)
+			}
+
+			// Test with UpdateRequest
+			updateReq := &v1.WorkflowContractServiceUpdateRequest{
+				RawContract: tt.rawContract,
+			}
+
+			org, err = getFromResource(updateReq)
+			if tt.expectedError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tt.expectedOrg, org)
+			}
+		})
+	}
+}