refactor: migrate Casbin to in-memory enforcer with database-stored token policies #2529
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jiparis
approved these changes
Nov 10, 2025
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
…oken policies Refactored the authorization system to improve performance and simplify architecture by moving from database-stored Casbin policies to an in-memory enforcer for role-based access control while storing API token policies directly in the database. Benefits: - Improved performance by eliminating database queries for role policy lookups - Simplified architecture with clear separation between user RBAC and token ACL - Reduced infrastructure dependencies by removing PostgreSQL adapter requirement - More flexible token permissions management stored alongside token metadata - Easier to reason about authorization flow with explicit dual enforcement model Technical changes: - Casbin now uses in-memory adapter for static role policies - API token ACL policies stored in new policies JSONB field - Added EnforceWithPolicies method for token-based authorization - Migration populates existing tokens with default policies - Updated middleware to route users and tokens to appropriate enforcement methods - Removed database adapter dependencies and related sync logic Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Removed obsolete test for database sync behavior and consolidated to mockery v3 mocks package. Changes: - Removed TestSyncMultipleEnforcers (tested database sync, no longer relevant with in-memory enforcer) - Migrated casbackend_test.go to use mocks package instead of mocks_test.go - Deleted pkg/biz/mocks_test.go (replaced by pkg/biz/mocks/ package) - Added mockery v3 and API token policies notes to CLAUDE.md Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Refactored the authorization system to improve performance and simplify architecture by moving from database-stored Casbin policies to an in-memory enforcer for role-based access control while storing API token policies directly in the database.
Benefits
Technical Changes
policiesJSONB field inapi_tokenstableEnforceWithPoliciesmethod for token-based authorization checksTesting
EnforceWithPoliciesmethodrefs #2486