feat: decouple cas-mappings table from attestations (#1921)

Signed-off-by: Miguel Martinez <[email protected]>

Author: migmartri

app/controlplane/internal/service/cascredential.go

@@ -103,7 +103,7 @@ func (s *CASCredentialsService) Get(ctx context.Context, req *pb.CASCredentialsS
 		}
 
 		// If we can't find a mapping, we'll use the default backend
-		if err != nil && !biz.IsNotFound(err) && !biz.IsErrUnauthorized(err) {
+		if err != nil && !biz.IsNotFound(err) {
 			if biz.IsErrValidation(err) {
 				return nil, errors.BadRequest("invalid", err.Error())
 			}

app/controlplane/internal/service/casredirect.go

@@ -88,7 +88,7 @@ func (s *CASRedirectService) GetDownloadURL(ctx context.Context, req *pb.GetDown
 	if err != nil {
 		// We don't want to leak the fact that the asset exists but the user does not have permissions
 		// that's why we return a generic 404 in unauthorized scenarios too
-		if biz.IsNotFound(err) || biz.IsErrUnauthorized(err) {
+		if biz.IsNotFound(err) {
 			return nil, kerrors.NotFound("not found", "artifact not found")
 		} else if biz.IsErrValidation(err) {
 			return nil, kerrors.BadRequest("invalid", err.Error())

app/controlplane/pkg/biz/biz.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -113,3 +113,7 @@ type EntityRef struct {
 	// Name is the name of the entity
 	Name string
 }
+
+func ToPtr[T any](v T) *T {
+	return &v
+}

app/controlplane/pkg/biz/casmapping.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2023-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,7 +17,6 @@ package biz
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"time"
 
@@ -39,7 +38,8 @@ type CASMapping struct {
 }
 
 type CASMappingRepo interface {
-	Create(ctx context.Context, digest string, casBackendID, workflowRunID uuid.UUID) (*CASMapping, error)
+	// Create a mapping with an optional workflow run id
+	Create(ctx context.Context, digest string, casBackendID uuid.UUID, workflowRunID *uuid.UUID) (*CASMapping, error)
 	// List all the CAS mappings for the given digest
 	FindByDigest(ctx context.Context, digest string) ([]*CASMapping, error)
 }
@@ -54,15 +54,20 @@ func NewCASMappingUseCase(repo CASMappingRepo, mRepo MembershipRepo, logger log.
 	return &CASMappingUseCase{repo, mRepo, servicelogger.ScopedHelper(logger, "cas-mapping-usecase")}
 }
 
-func (uc *CASMappingUseCase) Create(ctx context.Context, digest string, casBackendID, workflowRunID string) (*CASMapping, error) {
+// Create a mapping with an optional workflow run id
+func (uc *CASMappingUseCase) Create(ctx context.Context, digest string, casBackendID string, workflowRunID string) (*CASMapping, error) {
 	casBackendUUID, err := uuid.Parse(casBackendID)
 	if err != nil {
 		return nil, NewErrInvalidUUID(err)
 	}
 
-	workflowRunUUID, err := uuid.Parse(workflowRunID)
-	if err != nil {
-		return nil, NewErrInvalidUUID(err)
+	var workflowRunUUID *uuid.UUID
+	if workflowRunID != "" {
+		runUUID, err := uuid.Parse(workflowRunID)
+		if err != nil {
+			return nil, NewErrInvalidUUID(err)
+		}
+		workflowRunUUID = &runUUID
 	}
 
 	// parse the digest to make sure is a valid sha256 sum
@@ -101,14 +106,28 @@ func (uc *CASMappingUseCase) FindCASMappingForDownloadByUser(ctx context.Context
 		userOrgs = append(userOrgs, m.OrganizationID.String())
 	}
 
-	return uc.FindCASMappingForDownloadByOrg(ctx, digest, userOrgs)
+	mapping, err := uc.FindCASMappingForDownloadByOrg(ctx, digest, userOrgs)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find cas mapping for download: %w", err)
+	}
+
+	return mapping, nil
 }
 
-func (uc *CASMappingUseCase) FindCASMappingForDownloadByOrg(ctx context.Context, digest string, orgs []string) (*CASMapping, error) {
+func (uc *CASMappingUseCase) FindCASMappingForDownloadByOrg(ctx context.Context, digest string, orgs []string) (result *CASMapping, err error) {
 	if _, err := cr_v1.NewHash(digest); err != nil {
 		return nil, NewErrValidation(fmt.Errorf("invalid digest format: %w", err))
 	}
 
+	// log the result
+	defer func() {
+		if result != nil {
+			uc.logger.Infow("msg", "mapping found!", "digest", digest, "orgs", orgs, "casBackend", result.CASBackend.ID, "default", result.CASBackend.Default, "public", result.Public)
+		} else if err == nil || IsNotFound(err) {
+			uc.logger.Infow("msg", "no mapping found!", "digest", digest, "orgs", orgs)
+		}
+	}()
+
 	if len(orgs) == 0 {
 		return nil, NewErrValidationStr("no organizations provided")
 	}
@@ -129,24 +148,19 @@ func (uc *CASMappingUseCase) FindCASMappingForDownloadByOrg(ctx context.Context,
 	if err != nil {
 		return nil, fmt.Errorf("failed to load mappings associated to an user: %w", err)
 	} else if len(orgMappings) > 0 {
-		result := defaultOrFirst(orgMappings)
-
-		uc.logger.Infow("msg", "mapping found!", "digest", digest, "orgs", orgs, "casBackend", result.CASBackend.ID, "default", result.CASBackend.Default, "public", result.Public)
-		return result, nil
+		return defaultOrFirst(orgMappings), nil
 	}
 
 	// 3 - mappings that are public
 	publicMappings := filterByPublic(mappings)
 	// The user has not access to neither proprietary nor public mappings
 	if len(publicMappings) == 0 {
 		uc.logger.Warnw("msg", "digest exist but user does not have access to it", "digest", digest, "orgs", orgs)
-		return nil, NewErrUnauthorized(errors.New("unauthorized access to the artifact"))
+		return nil, NewErrNotFound("digest not found in any mapping")
 	}
 
 	// Pick the appropriate mapping from multiple ones
-	result := defaultOrFirst(publicMappings)
-	uc.logger.Infow("msg", "mapping found!", "digest", digest, "orgs", orgs, "casBackend", result.CASBackend.ID, "default", result.CASBackend.Default, "public", result.Public)
-	return result, nil
+	return defaultOrFirst(publicMappings), nil
 }
 
 // Extract only the mappings associated with a list of orgs

app/controlplane/pkg/biz/casmapping_integration_test.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2023-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -33,11 +33,12 @@ import (
 
 const (
 	// This is the digest of the empty envelope
-	validDigest       = "sha256:f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
-	validDigest2      = "sha256:2b0f04c276be095e62f3ac03b9991913c37df1fcd44548e75069adce313aba4d"
-	validDigest3      = "sha256:1b0f04c276be095e62f3ac03b9991913c37df1fcd44548e75069adce313aba4d"
-	validDigestPublic = "sha256:8b0f04c276be095e62f3ac03b9991913c37df1fcd44548e75069adce313aba4d"
-	invalidDigest     = "sha256:deadbeef"
+	validDigest           = "sha256:f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
+	validDigest2          = "sha256:2b0f04c276be095e62f3ac03b9991913c37df1fcd44548e75069adce313aba4d"
+	validDigest3          = "sha256:1b0f04c276be095e62f3ac03b9991913c37df1fcd44548e75069adce313aba4d"
+	validDigestPublic     = "sha256:8b0f04c276be095e62f3ac03b9991913c37df1fcd44548e75069adce313aba4d"
+	validDigestWithoutRun = "sha256:63e8ec8e489d31265fb920241da3300ec36c10865d2e287e055d4e1287ce25e6"
+	invalidDigest         = "sha256:deadbeef"
 )
 
 func (s *casMappingIntegrationSuite) TestCASMappingForDownloadUser() {
@@ -121,6 +122,8 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadByOrg() {
 	require.NoError(s.T(), err)
 	_, err = s.CASMapping.Create(ctx, validDigestPublic, s.casBackend3.ID.String(), s.publicWorkflowRun.ID.String())
 	require.NoError(s.T(), err)
+	_, err = s.CASMapping.Create(ctx, validDigestWithoutRun, s.casBackend3.ID.String(), "")
+	require.NoError(s.T(), err)
 
 	// both validDigest and validDigest2 from two different orgs
 	s.Run("validDigest is in org1", func() {
@@ -137,6 +140,17 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadByOrg() {
 		s.Equal(s.casBackend3.ID, mapping.CASBackend.ID)
 	})
 
+	s.Run("validDigestWithoutRun is available only to org 3", func() {
+		mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigestWithoutRun, []string{s.casBackend3.OrganizationID.String()})
+		s.NoError(err)
+		s.NotNil(mapping)
+		s.Equal(s.casBackend3.ID, mapping.CASBackend.ID)
+
+		mapping, err = s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigestWithoutRun, []string{s.org1.ID})
+		s.Error(err)
+		s.Nil(mapping)
+	})
+
 	s.Run("can't find an invalid digest", func() {
 		mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, invalidDigest, []string{s.org1.ID})
 		s.Error(err)
@@ -234,70 +248,84 @@ func (s *casMappingIntegrationSuite) TestCreate() {
 		name          string
 		digest        string
 		casBackendID  uuid.UUID
-		workflowRunID uuid.UUID
+		workflowRunID *uuid.UUID
 		wantErr       bool
 		wantPublic    bool
 	}{
 		{
 			name:          "valid",
 			digest:        validDigest,
 			casBackendID:  s.casBackend1.ID,
-			workflowRunID: s.workflowRun.ID,
+			workflowRunID: biz.ToPtr(s.workflowRun.ID),
 		},
 		{
 			name:          "created again with same digest",
 			digest:        validDigest,
 			casBackendID:  s.casBackend1.ID,
-			workflowRunID: s.workflowRun.ID,
+			workflowRunID: biz.ToPtr(s.workflowRun.ID),
 		},
 		{
 			name:          "invalid digest format",
 			digest:        invalidDigest,
 			casBackendID:  s.casBackend1.ID,
-			workflowRunID: s.workflowRun.ID,
+			workflowRunID: biz.ToPtr(s.workflowRun.ID),
 			wantErr:       true,
 		},
 		{
 			name:          "invalid digest missing prefix",
 			digest:        "3b0f04c276be095e62f3ac03b9991913c37df1fcd44548e75069adce313aba4d",
 			casBackendID:  s.casBackend1.ID,
-			workflowRunID: s.workflowRun.ID,
+			workflowRunID: biz.ToPtr(s.workflowRun.ID),
 			wantErr:       true,
 		},
 		{
 			name:          "non-existing CASBackend",
 			digest:        validDigest,
 			casBackendID:  uuid.New(),
-			workflowRunID: s.workflowRun.ID,
+			workflowRunID: biz.ToPtr(s.workflowRun.ID),
 			wantErr:       true,
 		},
 		{
 			name:          "non-existing WorkflowRunID",
 			digest:        validDigest,
 			casBackendID:  s.casBackend1.ID,
-			workflowRunID: uuid.New(),
+			workflowRunID: biz.ToPtr(uuid.New()),
 			wantErr:       true,
 		},
 		{
 			name:          "public workflowrun",
 			digest:        validDigest,
 			casBackendID:  s.casBackend1.ID,
-			workflowRunID: s.publicWorkflowRun.ID,
+			workflowRunID: biz.ToPtr(s.publicWorkflowRun.ID),
 			wantPublic:    true,
 		},
+		{
+			name:         "not associated to any workflowrun",
+			digest:       validDigest,
+			casBackendID: s.casBackend1.ID,
+			wantPublic:   false,
+		},
 	}
 
 	for _, tc := range testCases {
 		want := &biz.CASMapping{
-			Digest:        validDigest,
-			CASBackend:    &biz.CASBackend{ID: s.casBackend1.ID},
-			WorkflowRunID: tc.workflowRunID,
-			OrgID:         s.casBackend1.OrganizationID,
-			Public:        tc.wantPublic,
+			Digest:     validDigest,
+			CASBackend: &biz.CASBackend{ID: s.casBackend1.ID},
+			OrgID:      s.casBackend1.OrganizationID,
+			Public:     tc.wantPublic,
+		}
+
+		if tc.workflowRunID != nil {
+			want.WorkflowRunID = *tc.workflowRunID
 		}
 
 		s.Run(tc.name, func() {
-			got, err := s.CASMapping.Create(context.TODO(), tc.digest, tc.casBackendID.String(), tc.workflowRunID.String())
+			var workflowRunID string
+			if tc.workflowRunID != nil {
+				workflowRunID = tc.workflowRunID.String()
+			}
+
+			got, err := s.CASMapping.Create(context.TODO(), tc.digest, tc.casBackendID.String(), workflowRunID)
 			if tc.wantErr {
 				s.Error(err)
 			} else {

app/controlplane/pkg/biz/casmapping_test.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2023-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -90,7 +90,7 @@ func (s *casMappingSuite) TestCreate() {
 	}
 
 	// Mock successful repo call
-	s.repo.On("Create", mock.Anything, validDigest, validUUID, validUUID).Return(want, nil).Maybe()
+	s.repo.On("Create", mock.Anything, validDigest, validUUID, biz.ToPtr(validUUID)).Return(want, nil).Maybe()
 
 	for _, tc := range testCases {
 		s.Run(tc.name, func() {