fix connection nats

migmartri · migmartri · commit 8645a5e29300 · 2025-11-10T13:13:53.000+01:00
Signed-off-by: Miguel Martinez &lt;miguel@chainloop.dev&gt;
diff --git a/app/controlplane/pkg/authz/authz.go b/app/controlplane/pkg/authz/authz.go
@@ -95,7 +95,6 @@ const (
 	RoleGroupMaintainer Role = "role:group:maintainer"
 
 	// Product roles
-
 	RoleProductViewer Role = "role:product:viewer"
 	RoleProductAdmin  Role = "role:product:admin"
 )
diff --git a/app/controlplane/pkg/biz/apitoken_integration_test.go b/app/controlplane/pkg/biz/apitoken_integration_test.go
@@ -21,7 +21,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/authz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz/testhelpers"
 	"github.com/golang-jwt/jwt/v4"
@@ -149,17 +148,21 @@ func (s *apiTokenTestSuite) TestAuthzPolicies() {
 	token, err := s.APIToken.Create(context.Background(), randomName(), nil, nil, s.org.ID)
 	require.NoError(s.T(), err)
 
-	subject := (&authz.SubjectAPIToken{ID: token.ID.String()}).String()
-	// load the policies associated with the token from the global enforcer
-	policies, err := s.Enforcer.GetFilteredPolicy(0, subject)
-	s.Require().NoError(err)
-
-	// Check that only default policies are loaded
-	s.Len(policies, len(s.APIToken.DefaultAuthzPolicies))
-	for _, p := range s.APIToken.DefaultAuthzPolicies {
-		ok, err := s.Enforcer.HasPolicy(subject, p.Resource, p.Action)
-		s.NoError(err)
-		s.True(ok, fmt.Sprintf("policy %s:%s not found", p.Resource, p.Action))
+	// With the new architecture, API token policies are stored in the database, not in Casbin
+	// Verify that the token has the default policies stored
+	s.Require().NotNil(token.Policies)
+	s.Len(token.Policies, len(s.APIToken.DefaultAuthzPolicies))
+
+	// Check that all default policies are present
+	for _, expectedPolicy := range s.APIToken.DefaultAuthzPolicies {
+		found := false
+		for _, actualPolicy := range token.Policies {
+			if actualPolicy.Resource == expectedPolicy.Resource && actualPolicy.Action == expectedPolicy.Action {
+				found = true
+				break
+			}
+		}
+		s.True(found, fmt.Sprintf("policy %s:%s not found", expectedPolicy.Resource, expectedPolicy.Action))
 	}
 }
 
@@ -184,20 +187,6 @@ func (s *apiTokenTestSuite) TestRevoke() {
 		s.True(biz.IsNotFound(err))
 	})
 
-	s.Run("the revoked token also get its policies cleared", func() {
-		sub := (&authz.SubjectAPIToken{ID: s.t2.ID.String()}).String()
-		// It has the default policies
-		gotPolicies, err := s.Enforcer.GetFilteredPolicy(0, sub)
-		s.NoError(err)
-		s.Len(gotPolicies, len(s.APIToken.DefaultAuthzPolicies))
-		err = s.APIToken.Revoke(ctx, s.org.ID, s.t2.ID.String())
-		s.NoError(err)
-		// once revoked, the policies are cleared
-		gotPolicies, err = s.Enforcer.GetFilteredPolicy(0, sub)
-		s.NoError(err)
-		s.Len(gotPolicies, 0)
-	})
-
 	s.Run("token can be revoked once", func() {
 		err := s.APIToken.Revoke(ctx, s.org.ID, s.t1.ID.String())
 		s.NoError(err)

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,6 @@ const (`
`95`	`95`	`RoleGroupMaintainer Role = "role:group:maintainer"`
`96`	`96`
`97`	`97`	`// Product roles`
`98`		`-`
`99`	`98`	`RoleProductViewer Role = "role:product:viewer"`
`100`	`99`	`RoleProductAdmin Role = "role:product:admin"`
`101`	`100`	`)`