Skip to content

feat: allow to perform attestations with user token #1883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 11, 2025

Conversation

migmartri
Copy link
Member

This PR adds support to perform attestations with an user token, the change basically includes two things

1 - Chain a user-token authenticator to the JWTMulti cascade-based middleware we use during attestations
2 - Add an additional middleware to set the required user and org context required in the service layer.

About 2: I managed to implement it basically reusing the existing middlewares just doing wrap calling, additionally we do an authorization check to make sure read only users can not attest in the org.

Demo

I have three orgs with organization-2 set as default client-side

 go run main.go org ls
WRN API contacted in insecure mode
WRN Both user credentials and $CHAINLOOP_TOKEN set. Ignoring $CHAINLOOP_TOKEN.
┌────────────────┬─────────┬─────────┬───────┬─────────────────────────┬─────────────────────┐
│ NAME           │ CURRENT │ DEFAULT │ ROLE  │ DEFAULT POLICY STRATEGY │ JOINED AT           │
├────────────────┼─────────┼─────────┼───────┼─────────────────────────┼─────────────────────┤
│ new-org        │ false   │ true    │ owner │ ADVISORY                │ 10 Jan 25 11:58 UTC │
├────────────────┼─────────┼─────────┼───────┼─────────────────────────┼─────────────────────┤
│ foobar         │ false   │ false   │ owner │ ENFORCED                │ 22 Dec 24 08:02 UTC │
├────────────────┼─────────┼─────────┼───────┼─────────────────────────┼─────────────────────┤
│ organization-2 │ true    │ false   │ owner │ ADVISORY                │ 17 Dec 24 12:40 UTC │
└────────────────┴─────────┴─────────┴───────┴─────────────────────────┴─────────────────────┘

if I perform an attestation, organization-2 will be picked

go run main.go att init --workflow demo --project chainloop-contrib --replace
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────────────┬──────────────────────────────────────┐
│ Initialized At            │ 10 Mar 25 22:27 UTC                  │
├───────────────────────────┼──────────────────────────────────────┤
│ Attestation ID            │ 7c8f9e8a-24f5-4347-8172-997d04f70648 │
│ Organization              │ organization-2                       │
│ Name                      │ demo                                 │
│ Project                   │ chainloop-contrib                    │
│ Version                   │ v0.178.0 (prerelease)                │
│ Contract                  │ chainloop-contrib-demo (revision 1)  │
│ Policy violation strategy │ ADVISORY                             │
└───────────────────────────┴──────────────────────────────────────┘

which can be overridden either manually with the --org flag

go run main.go att init --workflow demo --project chainloop-contrib --replace --org new-org
WRN API contacted in insecure mode
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────────────┬──────────────────────────────────────┐
│ Initialized At            │ 10 Mar 25 22:27 UTC                  │
├───────────────────────────┼──────────────────────────────────────┤
│ Attestation ID            │ 91d87fd6-55a8-4516-aa44-45737bb182fd │
│ Organization              │ new-org                              │
│ Name                      │ demo                                 │
│ Project                   │ chainloop-contrib                    │
│ Version                   │ v0.178.0 (prerelease)                │
│ Contract                  │ chainloop-contrib-demo (revision 1)  │
│ Policy violation strategy │ ADVISORY                             │
└───────────────────────────┴──────────────────────────────────────┘

closes #1003

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri requested review from jiparis and javirln March 10, 2025 22:30
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri merged commit fd72555 into chainloop-dev:main Mar 11, 2025
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Being able to attest as an user
2 participants