clear goroutines

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>

Author: migmartri

app/controlplane/cmd/main.go

@@ -152,14 +152,6 @@ func main() {
 	app.runsExpirer.Run(ctx, &biz.WorkflowRunExpirerOpts{CheckInterval: 1 * time.Minute, ExpirationWindow: 1 * time.Hour})
 
 	// Since policies management is not enabled yet but instead is based on a hardcoded list of permissions
-	// We'll perform a reconciliation of the policies with the tokens stored in the database on startup
-	// This will allow us to add more policies in the future and keep backwards compatibility with existing tokens
-	go func() {
-		if err := app.tokenAuthSyncer.SyncPolicies(); err != nil {
-			_ = logger.Log(log.LevelError, "msg", "syncing policies", "error", err)
-		}
-	}()
-
 	// Sync user access
 	go func() {
 		if err := app.userAccessSyncer.SyncUserAccess(ctx); err != nil {

app/controlplane/cmd/wire.go

@@ -53,7 +53,7 @@ func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.Availabl
 			wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer", "ReferrerSharedIndex", "Onboarding", "PrometheusIntegration", "PolicyProviders", "NatsServer", "FederatedAuthentication"),
 			wire.FieldsOf(new(*conf.Data), "Database"),
 			dispatcher.New,
-			authz.NewDatabaseEnforcer,
+			authz.NewInMemoryEnforcer,
 			policies.NewRegistry,
 			newApp,
 			newProtoValidator,

app/controlplane/cmd/wire_gen.go

@@ -202,6 +202,7 @@ func setCurrentOrgAndAPIToken(ctx context.Context, apiTokenUC *biz.APITokenUseCa
 		Token:       token.JWT,
 		ProjectID:   token.ProjectID,
 		ProjectName: token.ProjectName,
+		Policies:    token.Policies,
 	})
 
 	// Set the authorization subject that will be used to check the policies

app/controlplane/internal/usercontext/apitoken_middleware.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ import (
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext/entities"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
-	bizMocks "github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz/mocks"
+	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz/mocks"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/jwt/apitoken"
 	"github.com/go-kratos/kratos/v2/log"
 	jwtmiddleware "github.com/go-kratos/kratos/v2/middleware/auth/jwt"
@@ -97,8 +97,8 @@ func TestWithCurrentAPITokenAndOrgMiddleware(t *testing.T) {
 		wantToken := &biz.APIToken{ID: uuid.New(), OrganizationID: wantOrgID}
 
 		t.Run(tc.name, func(t *testing.T) {
-			apiTokenRepo := bizMocks.NewAPITokenRepo(t)
-			orgRepo := bizMocks.NewOrganizationRepo(t)
+			apiTokenRepo := mocks.NewAPITokenRepo(t)
+			orgRepo := mocks.NewOrganizationRepo(t)
 			apiTokenUC, err := biz.NewAPITokenUseCase(apiTokenRepo, &biz.APITokenJWTConfig{SymmetricHmacKey: "test"}, nil, nil, nil, nil)
 			require.NoError(t, err)
 			orgUC := biz.NewOrganizationUseCase(orgRepo, nil, nil, nil, nil, nil, nil)

app/controlplane/internal/usercontext/apitoken_middleware_test.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"time"
 
+	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/authz"
 	"github.com/google/uuid"
 )
 
@@ -30,6 +31,8 @@ type APIToken struct {
 	Token       string
 	ProjectID   *uuid.UUID
 	ProjectName *string
+	// ACL policies for this token. Used for authorization checks.
+	Policies []*authz.Policy
 }
 
 func WithCurrentAPIToken(ctx context.Context, token *APIToken) context.Context {

app/controlplane/internal/usercontext/entities/apitoken.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,92 +16,14 @@
 package authz
 
 import (
-	"fmt"
 	"io"
 	"os"
 	"testing"
 
-	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func TestAddPolicies(t *testing.T) {
-	testcases := []struct {
-		name               string
-		subject            *SubjectAPIToken
-		policies           []*Policy
-		wantErr            bool
-		wantNumberPolicies int
-	}{
-		{
-			name:    "empty policies and subject",
-			wantErr: true,
-		},
-		{
-			name: "no subject",
-			policies: []*Policy{
-				PolicyWorkflowContractList,
-			},
-			wantErr: true,
-		},
-		{
-			name:    "no policies",
-			subject: &SubjectAPIToken{ID: uuid.NewString()},
-			wantErr: true,
-		},
-		{
-			name:    "adds two policies",
-			subject: &SubjectAPIToken{ID: uuid.NewString()},
-			policies: []*Policy{
-				PolicyWorkflowContractList,
-				PolicyReferrerRead,
-			},
-			wantNumberPolicies: 2,
-		},
-		{
-			name: "handles duplicated policies",
-			subject: &SubjectAPIToken{
-				ID: uuid.NewString(),
-			},
-			policies: []*Policy{
-				PolicyWorkflowContractList,
-				PolicyWorkflowContractRead,
-				PolicyWorkflowContractUpdate,
-				PolicyWorkflowContractList,
-				PolicyArtifactDownload,
-				PolicyWorkflowContractUpdate,
-				PolicyArtifactDownload,
-			},
-			wantNumberPolicies: 4,
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.name, func(t *testing.T) {
-			enforcer, closer := testEnforcer(t)
-			closer.Close()
-
-			err := enforcer.AddPolicies(tc.subject, tc.policies...)
-			if tc.wantErr {
-				assert.Error(t, err)
-				return
-			}
-
-			require.NoError(t, err)
-
-			for _, p := range tc.policies {
-				ok, err := enforcer.HasPolicy(tc.subject.String(), p.Resource, p.Action)
-				assert.NoError(t, err)
-				assert.True(t, ok, fmt.Sprintf("policy %s:%s not found", p.Resource, p.Action))
-			}
-
-			gotLength, err := enforcer.GetFilteredPolicy(0, tc.subject.String())
-			assert.NoError(t, err)
-			assert.Len(t, gotLength, tc.wantNumberPolicies)
-		})
-	}
-}
 
 // simulate 2 enforcers on the same database (by acting on the same file enforcer)
 func TestSyncMultipleEnforcers(t *testing.T) {
@@ -219,31 +141,6 @@ func TestSyncMultipleEnforcers(t *testing.T) {
 	}
 }
 
-func TestAddPoliciesDuplication(t *testing.T) {
-	want := []*Policy{
-		PolicyWorkflowContractList,
-		PolicyWorkflowContractRead,
-	}
-
-	enforcer, closer := testEnforcer(t)
-	defer closer.Close()
-	sub := &SubjectAPIToken{ID: uuid.NewString()}
-
-	err := enforcer.AddPolicies(sub, want...)
-	require.NoError(t, err)
-	got, err := enforcer.GetFilteredPolicy(0, sub.String())
-	require.NoError(t, err)
-	assert.Len(t, got, 2)
-
-	// Update the list of policies we want to add by appending an extra one
-	want = append(want, PolicyWorkflowContractUpdate)
-	// AddPolicies only add the policies that are not already present preventing duplication
-	err = enforcer.AddPolicies(sub, want...)
-	assert.NoError(t, err)
-	got, err = enforcer.GetFilteredPolicy(0, sub.String())
-	assert.NoError(t, err)
-	assert.Len(t, got, 3)
-}
 
 func TestSyncRBACRoles(t *testing.T) {
 	e, closer := testEnforcer(t)
@@ -346,39 +243,6 @@ func TestDoSync(t *testing.T) {
 	assert.Len(t, got, 2)
 }
 
-func TestClearPolicies(t *testing.T) {
-	want := []*Policy{
-		PolicyWorkflowContractList,
-		PolicyWorkflowContractRead,
-	}
-
-	enforcer, closer := testEnforcer(t)
-	defer closer.Close()
-	sub := &SubjectAPIToken{ID: uuid.NewString()}
-	sub2 := &SubjectAPIToken{ID: uuid.NewString()}
-
-	// Create policies for two different subjects
-	err := enforcer.AddPolicies(sub, want...)
-	require.NoError(t, err)
-	err = enforcer.AddPolicies(sub2, want...)
-	require.NoError(t, err)
-	// Each have 2 items
-	got, err := enforcer.GetFilteredPolicy(0, sub.String())
-	require.NoError(t, err)
-	assert.Len(t, got, 2)
-
-	// Clear all the policies for the subject
-	err = enforcer.ClearPolicies(sub)
-	assert.NoError(t, err)
-	// there should be no policies left for this user
-	got, err = enforcer.GetFilteredPolicy(0, sub.String())
-	require.NoError(t, err)
-	assert.Len(t, got, 0)
-	// but the other user should still have 2
-	got, err = enforcer.GetFilteredPolicy(0, sub2.String())
-	require.NoError(t, err)
-	assert.Len(t, got, 2)
-}
 
 func testEnforcer(t *testing.T) (*Enforcer, io.Closer) {
 	f, err := os.CreateTemp(t.TempDir(), "policy*.csv")