refactor: migrate Casbin to in-memory enforcer with database-stored token policies

migmartri · migmartri · commit 9c3e5fa7146d · 2025-11-10T21:54:10.000+01:00
Refactored the authorization system to improve performance and simplify architecture by moving from database-stored Casbin policies to an in-memory enforcer for role-based access control while storing API token policies directly in the database.

Benefits:
- Improved performance by eliminating database queries for role policy lookups
- Simplified architecture with clear separation between user RBAC and token ACL
- Reduced infrastructure dependencies by removing PostgreSQL adapter requirement
- More flexible token permissions management stored alongside token metadata
- Easier to reason about authorization flow with explicit dual enforcement model

Technical changes:
- Casbin now uses in-memory adapter for static role policies
- API token ACL policies stored in new policies JSONB field
- Added EnforceWithPolicies method for token-based authorization
- Migration populates existing tokens with default policies
- Updated middleware to route users and tokens to appropriate enforcement methods
- Removed database adapter dependencies and related sync logic

Signed-off-by: Miguel Martinez &lt;miguel@chainloop.dev&gt;
diff --git a/app/controlplane/pkg/authz/middleware/.mockery.yml b/app/controlplane/pkg/authz/middleware/.mockery.yml
@@ -0,0 +1,17 @@
+all: false
+dir: '{{.InterfaceDir}}'
+filename: mocks_test.go
+force-file-write: true
+formatter: goimports
+include-auto-generated: false
+log-level: info
+structname: '{{.Mock}}{{.InterfaceName}}'
+pkgname: '{{.SrcPackageName}}'
+recursive: false
+require-template-schema-exists: true
+template: testify
+template-schema: '{{.Template}}.schema.json'
+packages:
+  github.com/chainloop-dev/chainloop/app/controlplane/pkg/authz/middleware:
+    interfaces:
+      Enforcer:
diff --git a/app/controlplane/pkg/authz/middleware/mocks_test.go b/app/controlplane/pkg/authz/middleware/mocks_test.go
diff --git a/app/controlplane/pkg/data/ent/migrate/migrations/20251107233855.sql b/app/controlplane/pkg/data/ent/migrate/migrations/20251107233855.sql
@@ -0,0 +1,26 @@
+-- Modify "api_tokens" table
+ALTER TABLE "api_tokens" ADD COLUMN "policies" jsonb NULL;
+-- Populate existing tokens with default policies
+UPDATE "api_tokens" SET "policies" = '[
+  {"Resource": "workflow_run", "Action": "list"},
+  {"Resource": "workflow_run", "Action": "read"},
+  {"Resource": "workflow", "Action": "read"},
+  {"Resource": "workflow", "Action": "list"},
+  {"Resource": "workflow", "Action": "create"},
+  {"Resource": "workflow_contract", "Action": "list"},
+  {"Resource": "workflow_contract", "Action": "read"},
+  {"Resource": "workflow_contract", "Action": "update"},
+  {"Resource": "workflow_contract", "Action": "create"},
+  {"Resource": "cas_artifact", "Action": "read"},
+  {"Resource": "referrer", "Action": "read"},
+  {"Resource": "organization", "Action": "read"},
+  {"Resource": "robot_account", "Action": "create"},
+  {"Resource": "integration_available", "Action": "read"},
+  {"Resource": "integration_available", "Action": "list"},
+  {"Resource": "integration_registered", "Action": "list"},
+  {"Resource": "integration_registered", "Action": "read"},
+  {"Resource": "integration_registered", "Action": "create"},
+  {"Resource": "integration_attached", "Action": "list"},
+  {"Resource": "integration_attached", "Action": "create"},
+  {"Resource": "cas_artifact", "Action": "create"}
+]'::jsonb WHERE "policies" IS NULL;
