refactor: migrate Casbin to in-memory enforcer with database-stored token policies

CLAUDE.md

@@ -217,9 +217,12 @@ The project heavily uses code generation:
 - **Wire**: Dependency injection
 - **Ent**: ORM models and queries
 - **Buf**: Protobuf tooling and validation
+- **Mockery v3**: Test mocks - add interface to `.mockery.yml`, run `mockery` from that directory
 
 Always run `make generate` after modifying .proto files or Ent schemas.
 
+**API Token Policies**: If modifying `DefaultAuthzPolicies` in `pkg/biz/apitoken.go`, create a migration to update existing tokens' `policies` field - they're stored in DB, not loaded dynamically.
+
 ## Contract-Based Development
 
 Workflow Contracts define the structure and requirements for CI/CD attestations. They specify what materials must be collected and policies that must be evaluated.

app/artifact-cas/api/buf.yaml

@@ -7,4 +7,4 @@ deps:
   - buf.build/bufbuild/protovalidate:b983156c5e994cc9892e0ce3e64e17e0
 lint:
   use:
-    - DEFAULT
+    - STANDARD

app/artifact-cas/internal/conf/buf.yaml

@@ -7,7 +7,7 @@ deps:
   - buf.build/bufbuild/protovalidate:b983156c5e994cc9892e0ce3e64e17e0
 lint:
   use:
-    - DEFAULT
+    - STANDARD
   ignore_only:
     PACKAGE_DEFINED:
       - ./conf.proto

app/controlplane/api/buf.yaml

@@ -9,7 +9,7 @@ deps:
   - buf.build/grpc-ecosystem/grpc-gateway:v2.26.3
 lint:
   use:
-    - DEFAULT
+    - STANDARD
   ignore_only:
     ENUM_ZERO_VALUE_SUFFIX:
       - controlplane/v1/pagination.proto

app/controlplane/cmd/main.go

@@ -64,7 +64,7 @@ func init() {
 }
 
 func newApp(logger log.Logger, gs *grpc.Server, hs *http.Server, ms *server.HTTPMetricsServer, profilerSvc *server.HTTPProfilerServer,
-	expirer *biz.WorkflowRunExpirerUseCase, plugins sdk.AvailablePlugins, tokenSync *biz.APITokenSyncerUseCase,
+	expirer *biz.WorkflowRunExpirerUseCase, plugins sdk.AvailablePlugins,
 	userAccessSyncer *biz.UserAccessSyncerUseCase, casBackendChecker *biz.CASBackendChecker, cfg *conf.Bootstrap) *app {
 	servers := []transport.Server{gs, hs, ms}
 	if cfg.EnableProfiler {
@@ -79,7 +79,7 @@ func newApp(logger log.Logger, gs *grpc.Server, hs *http.Server, ms *server.HTTP
 			kratos.Metadata(map[string]string{}),
 			kratos.Logger(logger),
 			kratos.Server(servers...),
-		), expirer, plugins, tokenSync, userAccessSyncer, casBackendChecker}
+		), expirer, plugins, userAccessSyncer, casBackendChecker}
 }
 
 func main() {
@@ -152,15 +152,6 @@ func main() {
 	// TODO: Make it configurable from the application config
 	app.runsExpirer.Run(ctx, &biz.WorkflowRunExpirerOpts{CheckInterval: 1 * time.Minute, ExpirationWindow: 1 * time.Hour})
 
-	// Since policies management is not enabled yet but instead is based on a hardcoded list of permissions
-	// We'll perform a reconciliation of the policies with the tokens stored in the database on startup
-	// This will allow us to add more policies in the future and keep backwards compatibility with existing tokens
-	go func() {
-		if err := app.tokenAuthSyncer.SyncPolicies(); err != nil {
-			_ = logger.Log(log.LevelError, "msg", "syncing policies", "error", err)
-		}
-	}()
-
 	// Sync user access
 	go func() {
 		if err := app.userAccessSyncer.SyncUserAccess(ctx); err != nil {
@@ -207,7 +198,6 @@ type app struct {
 	// Periodic job that expires unfinished attestation processes older than a given threshold
 	runsExpirer      *biz.WorkflowRunExpirerUseCase
 	availablePlugins sdk.AvailablePlugins
-	tokenAuthSyncer  *biz.APITokenSyncerUseCase
 	userAccessSyncer *biz.UserAccessSyncerUseCase
 	// Background checker for CAS backends
 	casBackendChecker *biz.CASBackendChecker

app/controlplane/cmd/wire.go

@@ -53,7 +53,7 @@ func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.Availabl
 			wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer", "ReferrerSharedIndex", "Onboarding", "PrometheusIntegration", "PolicyProviders", "NatsServer", "FederatedAuthentication"),
 			wire.FieldsOf(new(*conf.Data), "Database"),
 			dispatcher.New,
-			authz.NewDatabaseEnforcer,
+			authz.NewInMemoryEnforcer,
 			policies.NewRegistry,
 			newApp,
 			newProtoValidator,
@@ -71,7 +71,7 @@ func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.Availabl
 }
 
 func authzConfig(conf *conf.Bootstrap) *authz.Config {
-	return &authz.Config{ManagedResources: authz.ManagedResources, RolesMap: authz.RolesMap, RestrictOrgCreation: conf.RestrictOrgCreation}
+	return &authz.Config{RolesMap: authz.RolesMap, RestrictOrgCreation: conf.RestrictOrgCreation}
 }
 
 func newJWTConfig(conf *conf.Auth) *biz.APITokenJWTConfig {

app/controlplane/internal/conf/buf.yaml

@@ -8,7 +8,7 @@ deps:
   - buf.build/kratos-go/kratos:e1d52e944e3845c6862a566db322432d
 lint:
   use:
-    - DEFAULT
+    - STANDARD
   ignore_only:
     PACKAGE_DEFINED:
       - ./conf.proto

app/controlplane/internal/usercontext/apitoken_middleware.go

@@ -202,6 +202,7 @@ func setCurrentOrgAndAPIToken(ctx context.Context, apiTokenUC *biz.APITokenUseCa
 		Token:       token.JWT,
 		ProjectID:   token.ProjectID,
 		ProjectName: token.ProjectName,
+		Policies:    token.Policies,
 	})
 
 	// Set the authorization subject that will be used to check the policies

app/controlplane/internal/usercontext/apitoken_middleware_test.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ import (
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext/entities"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
-	bizMocks "github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz/mocks"
+	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz/mocks"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/jwt/apitoken"
 	"github.com/go-kratos/kratos/v2/log"
 	jwtmiddleware "github.com/go-kratos/kratos/v2/middleware/auth/jwt"
@@ -97,8 +97,8 @@ func TestWithCurrentAPITokenAndOrgMiddleware(t *testing.T) {
 		wantToken := &biz.APIToken{ID: uuid.New(), OrganizationID: wantOrgID}
 
 		t.Run(tc.name, func(t *testing.T) {
-			apiTokenRepo := bizMocks.NewAPITokenRepo(t)
-			orgRepo := bizMocks.NewOrganizationRepo(t)
+			apiTokenRepo := mocks.NewAPITokenRepo(t)
+			orgRepo := mocks.NewOrganizationRepo(t)
 			apiTokenUC, err := biz.NewAPITokenUseCase(apiTokenRepo, &biz.APITokenJWTConfig{SymmetricHmacKey: "test"}, nil, nil, nil, nil)
 			require.NoError(t, err)
 			orgUC := biz.NewOrganizationUseCase(orgRepo, nil, nil, nil, nil, nil, nil)

app/controlplane/internal/usercontext/entities/apitoken.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"time"
 
+	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/authz"
 	"github.com/google/uuid"
 )
 
@@ -30,6 +31,8 @@ type APIToken struct {
 	Token       string
 	ProjectID   *uuid.UUID
 	ProjectName *string
+	// ACL policies for this token. Used for authorization checks.
+	Policies []*authz.Policy
 }
 
 func WithCurrentAPIToken(ctx context.Context, token *APIToken) context.Context {

app/controlplane/pkg/authz/authz.go

@@ -95,34 +95,10 @@ const (
 	RoleGroupMaintainer Role = "role:group:maintainer"
 
 	// Product roles
-
 	RoleProductViewer Role = "role:product:viewer"
 	RoleProductAdmin  Role = "role:product:admin"
 )
 
-// ManagedResources are the resources that are managed by Chainloop, considered during permissions sync
-var ManagedResources = []string{
-	ResourceWorkflowContract,
-	ResourceCASArtifact,
-	ResourceCASBackend,
-	ResourceReferrer,
-	ResourceAvailableIntegration,
-	ResourceRegisteredIntegration,
-	ResourceAttachedIntegration,
-	ResourceOrgMetric,
-	ResourceRobotAccount,
-	ResourceWorkflowRun,
-	ResourceWorkflow,
-	ResourceProject,
-	Organization,
-	OrganizationMemberships,
-	ResourceGroup,
-	ResourceGroupMembership,
-	ResourceAPIToken,
-	ResourceProjectMembership,
-	ResourceOrganizationInvitations,
-}
-
 var (
 	// Referrer
 	PolicyReferrerRead = &Policy{ResourceReferrer, ActionRead}