diff --git a/app/cli/cmd/referrer_discover.go b/app/cli/cmd/referrer_discover.go index 2e55ea9a0..fbedf4378 100644 --- a/app/cli/cmd/referrer_discover.go +++ b/app/cli/cmd/referrer_discover.go @@ -26,7 +26,6 @@ import ( func newReferrerDiscoverCmd() *cobra.Command { var digest, kind string - var fromPublicIndex bool paginationOpts := &options.PaginationOpts{DefaultLimit: 20} cmd := &cobra.Command{ @@ -38,15 +37,7 @@ func newReferrerDiscoverCmd() *cobra.Command { NextCursor: paginationOpts.NextCursor, } - var res *action.ReferrerDiscoverResult - var err error - - if fromPublicIndex { - res, err = action.NewReferrerDiscoverPublicIndex(ActionOpts).Run(context.Background(), digest, kind, pagination) - } else { - res, err = action.NewReferrerDiscoverPrivate(ActionOpts).Run(context.Background(), digest, kind, pagination) - } - + res, err := action.NewReferrerDiscoverPrivate(ActionOpts).Run(context.Background(), digest, kind, pagination) if err != nil { return err } @@ -61,7 +52,6 @@ func newReferrerDiscoverCmd() *cobra.Command { cobra.CheckErr(err) cmd.Flags().StringVarP(&kind, "kind", "k", "", "optional kind of the referrer, used to disambiguate between multiple referrers with the same digest") cobra.CheckErr(err) - cmd.Flags().BoolVar(&fromPublicIndex, "public", false, "discover from public shared index instead of your organizations'") paginationOpts.AddFlags(cmd) return cmd diff --git a/app/cli/cmd/workflow_create.go b/app/cli/cmd/workflow_create.go index 03b775c0a..a7ac2b036 100644 --- a/app/cli/cmd/workflow_create.go +++ b/app/cli/cmd/workflow_create.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -27,7 +27,7 @@ import ( func newWorkflowCreateCmd() *cobra.Command { var workflowName, description, project, team, contractRef string - var public, skipIfExists bool + var skipIfExists bool cmd := &cobra.Command{ Use: "create", @@ -47,7 +47,6 @@ func newWorkflowCreateCmd() *cobra.Command { RunE: func(cmd *cobra.Command, args []string) error { opts := &action.NewWorkflowCreateOpts{ Name: workflowName, Team: team, Project: project, Description: description, - Public: public, } // Try to load it if it's a file or URL otherwise assume it's an existing contract name @@ -96,7 +95,6 @@ func newWorkflowCreateCmd() *cobra.Command { cmd.Flags().StringVar(&team, "team", "", "team name") cmd.Flags().StringVar(&contractRef, "contract", "", "the name of an existing contract or the path/URL to a contract file. If not provided an empty one will be created.") - cmd.Flags().BoolVar(&public, "public", false, "is the workflow public") cmd.Flags().BoolVarP(&skipIfExists, "skip-if-exists", "f", false, "do not fail if the workflow with the provided name already exists") cmd.Flags().SortFlags = false diff --git a/app/cli/cmd/workflow_list.go b/app/cli/cmd/workflow_list.go index b2d51d538..3ec368eee 100644 --- a/app/cli/cmd/workflow_list.go +++ b/app/cli/cmd/workflow_list.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -97,8 +97,8 @@ func WorkflowListTableOutput(workflowListResult *action.WorkflowListResult) erro return nil } - headerRow := table.Row{"Name", "Project", "Contract", "Public", "Runner", "Last Run status", "Created At"} - headerRowFull := table.Row{"Name", "Description", "Project", "Team", "Contract", "Public", "Runner", "Last Run status", "Created At"} + headerRow := table.Row{"Name", "Project", "Contract", "Runner", "Last Run status", "Created At"} + headerRowFull := table.Row{"Name", "Description", "Project", "Team", "Contract", "Runner", "Last Run status", "Created At"} t := output.NewTableWriter() if full { @@ -117,14 +117,14 @@ func WorkflowListTableOutput(workflowListResult *action.WorkflowListResult) erro if !full { row = table.Row{ - p.Name, p.Project, p.ContractName, p.Public, + p.Name, p.Project, p.ContractName, lastRunRunner, lastRunState, p.CreatedAt.Format(time.RFC822), } } else { row = table.Row{ p.Name, p.Description, p.Project, p.Team, - p.ContractName, p.Public, + p.ContractName, lastRunRunner, lastRunState, p.CreatedAt.Format(time.RFC822), } diff --git a/app/cli/cmd/workflow_update.go b/app/cli/cmd/workflow_update.go index 965f78532..44913f5b7 100644 --- a/app/cli/cmd/workflow_update.go +++ b/app/cli/cmd/workflow_update.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -25,7 +25,6 @@ import ( func newWorkflowUpdateCmd() *cobra.Command { var name, description, project, team, contractName string - var public bool cmd := &cobra.Command{ Use: "update", @@ -35,9 +34,6 @@ func newWorkflowUpdateCmd() *cobra.Command { if cmd.Flags().Changed("team") { opts.Team = &team } - if cmd.Flags().Changed("public") { - opts.Public = &public - } if cmd.Flags().Changed("description") { opts.Description = &description @@ -64,7 +60,6 @@ func newWorkflowUpdateCmd() *cobra.Command { cmd.Flags().StringVar(&description, "description", "", "workflow description") cmd.Flags().StringVar(&team, "team", "", "team name") - cmd.Flags().BoolVar(&public, "public", false, "is the workflow public") cmd.Flags().StringVar(&contractName, "contract", "", "the name of an existing contract") return cmd diff --git a/app/cli/documentation/cli-reference.mdx b/app/cli/documentation/cli-reference.mdx index 979a8263f..63e58e572 100755 --- a/app/cli/documentation/cli-reference.mdx +++ b/app/cli/documentation/cli-reference.mdx @@ -1578,7 +1578,6 @@ Options -k, --kind string optional kind of the referrer, used to disambiguate between multiple referrers with the same digest --limit int number of items to show (default 20) --next string cursor to load the next page ---public discover from public shared index instead of your organizations' ``` Options inherited from parent commands @@ -3719,7 +3718,6 @@ Options --project string project name --team string team name --contract string the name of an existing contract or the path/URL to a contract file. If not provided an empty one will be created. ---public is the workflow public -f, --skip-if-exists do not fail if the workflow with the provided name already exists -h, --help help for create ``` @@ -3910,7 +3908,6 @@ Options -h, --help help for update --name string workflow name --project string project name ---public is the workflow public --team string team name ``` diff --git a/app/cli/pkg/action/referrer_discover.go b/app/cli/pkg/action/referrer_discover.go index 410a74329..44c903be1 100644 --- a/app/cli/pkg/action/referrer_discover.go +++ b/app/cli/pkg/action/referrer_discover.go @@ -25,15 +25,11 @@ import ( type ReferrerDiscover struct { cfg *ActionsOpts } -type ReferrerDiscoverPublic struct { - cfg *ActionsOpts -} type ReferrerItem struct { Digest string `json:"digest"` Kind string `json:"kind"` Downloadable bool `json:"downloadable"` - Public bool `json:"public"` CreatedAt *time.Time `json:"createdAt"` References []*ReferrerItem `json:"references"` Metadata map[string]string `json:"metadata,omitempty"` @@ -63,27 +59,6 @@ func (action *ReferrerDiscover) Run(ctx context.Context, digest, kind string, p return newReferrerDiscoverResult(resp.Result, resp.GetPagination()), nil } -func NewReferrerDiscoverPublicIndex(cfg *ActionsOpts) *ReferrerDiscoverPublic { - return &ReferrerDiscoverPublic{cfg} -} - -// Run calls the deprecated public shared index RPC, kept for backwards compatibility. -// -//nolint:staticcheck // the RPC is deprecated but still supported -func (action *ReferrerDiscoverPublic) Run(ctx context.Context, digest, kind string, p *PaginationOpts) (*ReferrerDiscoverResult, error) { - client := pb.NewReferrerServiceClient(action.cfg.CPConnection) - resp, err := client.DiscoverPublicShared(ctx, &pb.DiscoverPublicSharedRequest{ - Digest: digest, - Kind: kind, - Pagination: paginationOptsToPb(p), - }) - if err != nil { - return nil, err - } - - return newReferrerDiscoverResult(resp.Result, resp.GetPagination()), nil -} - func paginationOptsToPb(p *PaginationOpts) *pb.CursorPaginationRequest { if p == nil { return nil @@ -109,7 +84,6 @@ func pbReferrerItemToAction(in *pb.ReferrerItem) *ReferrerItem { out := &ReferrerItem{ Digest: in.GetDigest(), Downloadable: in.GetDownloadable(), - Public: in.GetPublic(), Kind: in.GetKind(), CreatedAt: toTimePtr(in.GetCreatedAt().AsTime()), References: make([]*ReferrerItem, 0, len(in.GetReferences())), diff --git a/app/cli/pkg/action/workflow_create.go b/app/cli/pkg/action/workflow_create.go index ed3426220..32f8daee8 100644 --- a/app/cli/pkg/action/workflow_create.go +++ b/app/cli/pkg/action/workflow_create.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -31,7 +31,6 @@ func NewWorkflowCreate(cfg *ActionsOpts) *WorkflowCreate { type NewWorkflowCreateOpts struct { Name, Description, Project, Team, ContractName string - Public bool ContractBytes []byte } @@ -40,7 +39,6 @@ func (action *WorkflowCreate) Run(opts *NewWorkflowCreateOpts) (*WorkflowItem, e resp, err := client.Create(context.Background(), &pb.WorkflowServiceCreateRequest{ Name: opts.Name, ProjectName: opts.Project, Team: opts.Team, ContractName: opts.ContractName, Description: opts.Description, - Public: opts.Public, ContractBytes: opts.ContractBytes, }) if err != nil { diff --git a/app/cli/pkg/action/workflow_list.go b/app/cli/pkg/action/workflow_list.go index c235718de..47be7a866 100644 --- a/app/cli/pkg/action/workflow_list.go +++ b/app/cli/pkg/action/workflow_list.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -38,10 +38,6 @@ type WorkflowItem struct { ContractName string `json:"contractName,omitempty"` ContractRevisionLatest int32 `json:"contractRevisionLatest,omitempty"` LastRun *WorkflowRunItem `json:"lastRun,omitempty"` - // A public workflow means that any user can - // - access to all its workflow runs - // - their attestation and materials - Public bool `json:"public"` } // WorkflowListResult holds the output of the workflow list action @@ -109,7 +105,6 @@ func pbWorkflowItemToAction(wf *pb.WorkflowItem) *WorkflowItem { ContractName: wf.ContractName, ContractRevisionLatest: wf.ContractRevisionLatest, LastRun: pbWorkflowRunItemToAction(wf.LastRun), - Public: wf.Public, Description: wf.Description, } } diff --git a/app/cli/pkg/action/workflow_update.go b/app/cli/pkg/action/workflow_update.go index 9f521f49d..64564b2f6 100644 --- a/app/cli/pkg/action/workflow_update.go +++ b/app/cli/pkg/action/workflow_update.go @@ -1,5 +1,5 @@ // -// Copyright 2023 The Chainloop Authors. +// Copyright 2023-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -31,7 +31,6 @@ func NewWorkflowUpdate(cfg *ActionsOpts) *WorkflowUpdate { type WorkflowUpdateOpts struct { Description, Team, ContractName *string - Public *bool } func (action *WorkflowUpdate) Run(ctx context.Context, name, project string, opts *WorkflowUpdateOpts) (*WorkflowItem, error) { @@ -41,7 +40,6 @@ func (action *WorkflowUpdate) Run(ctx context.Context, name, project string, opt ProjectName: project, Description: opts.Description, Team: opts.Team, - Public: opts.Public, ContractName: opts.ContractName, }) diff --git a/app/controlplane/api/controlplane/v1/referrer.pb.go b/app/controlplane/api/controlplane/v1/referrer.pb.go index 4f52d7174..160ea580b 100644 --- a/app/controlplane/api/controlplane/v1/referrer.pb.go +++ b/app/controlplane/api/controlplane/v1/referrer.pb.go @@ -125,129 +125,6 @@ func (x *ReferrerServiceDiscoverPrivateRequest) GetProjectVersion() string { return "" } -// DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method -// Deprecated: the public shared index is being retired. -// -// Deprecated: Marked as deprecated in controlplane/v1/referrer.proto. -type DiscoverPublicSharedRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Digest is the unique identifier of the referrer to discover - Digest string `protobuf:"bytes,1,opt,name=digest,proto3" json:"digest,omitempty"` - // Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ... - // Used to filter and resolve ambiguities - Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` - // Pagination options for the references list - Pagination *CursorPaginationRequest `protobuf:"bytes,3,opt,name=pagination,proto3" json:"pagination,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache -} - -func (x *DiscoverPublicSharedRequest) Reset() { - *x = DiscoverPublicSharedRequest{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *DiscoverPublicSharedRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DiscoverPublicSharedRequest) ProtoMessage() {} - -func (x *DiscoverPublicSharedRequest) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[1] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DiscoverPublicSharedRequest.ProtoReflect.Descriptor instead. -func (*DiscoverPublicSharedRequest) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{1} -} - -func (x *DiscoverPublicSharedRequest) GetDigest() string { - if x != nil { - return x.Digest - } - return "" -} - -func (x *DiscoverPublicSharedRequest) GetKind() string { - if x != nil { - return x.Kind - } - return "" -} - -func (x *DiscoverPublicSharedRequest) GetPagination() *CursorPaginationRequest { - if x != nil { - return x.Pagination - } - return nil -} - -// DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method -type DiscoverPublicSharedResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Result is the discovered referrer item - Result *ReferrerItem `protobuf:"bytes,1,opt,name=result,proto3" json:"result,omitempty"` - // Pagination information for the references list - Pagination *CursorPaginationResponse `protobuf:"bytes,2,opt,name=pagination,proto3" json:"pagination,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache -} - -func (x *DiscoverPublicSharedResponse) Reset() { - *x = DiscoverPublicSharedResponse{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *DiscoverPublicSharedResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DiscoverPublicSharedResponse) ProtoMessage() {} - -func (x *DiscoverPublicSharedResponse) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[2] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DiscoverPublicSharedResponse.ProtoReflect.Descriptor instead. -func (*DiscoverPublicSharedResponse) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{2} -} - -func (x *DiscoverPublicSharedResponse) GetResult() *ReferrerItem { - if x != nil { - return x.Result - } - return nil -} - -func (x *DiscoverPublicSharedResponse) GetPagination() *CursorPaginationResponse { - if x != nil { - return x.Pagination - } - return nil -} - // ReferrerServiceDiscoverPrivateResponse is the response for the DiscoverPrivate method type ReferrerServiceDiscoverPrivateResponse struct { state protoimpl.MessageState `protogen:"open.v1"` @@ -261,7 +138,7 @@ type ReferrerServiceDiscoverPrivateResponse struct { func (x *ReferrerServiceDiscoverPrivateResponse) Reset() { *x = ReferrerServiceDiscoverPrivateResponse{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[3] + mi := &file_controlplane_v1_referrer_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -273,7 +150,7 @@ func (x *ReferrerServiceDiscoverPrivateResponse) String() string { func (*ReferrerServiceDiscoverPrivateResponse) ProtoMessage() {} func (x *ReferrerServiceDiscoverPrivateResponse) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[3] + mi := &file_controlplane_v1_referrer_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -286,7 +163,7 @@ func (x *ReferrerServiceDiscoverPrivateResponse) ProtoReflect() protoreflect.Mes // Deprecated: Use ReferrerServiceDiscoverPrivateResponse.ProtoReflect.Descriptor instead. func (*ReferrerServiceDiscoverPrivateResponse) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{3} + return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{1} } func (x *ReferrerServiceDiscoverPrivateResponse) GetResult() *ReferrerItem { @@ -312,8 +189,6 @@ type ReferrerItem struct { Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` // Downloadable indicates whether the referrer is downloadable or not from CAS Downloadable bool `protobuf:"varint,3,opt,name=downloadable,proto3" json:"downloadable,omitempty"` - // Public indicates whether the referrer is public since it belongs to a public workflow - Public bool `protobuf:"varint,6,opt,name=public,proto3" json:"public,omitempty"` // References contains the list of related referrer items References []*ReferrerItem `protobuf:"bytes,4,rep,name=references,proto3" json:"references,omitempty"` // CreatedAt is the timestamp when the referrer was created @@ -328,7 +203,7 @@ type ReferrerItem struct { func (x *ReferrerItem) Reset() { *x = ReferrerItem{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[4] + mi := &file_controlplane_v1_referrer_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -340,7 +215,7 @@ func (x *ReferrerItem) String() string { func (*ReferrerItem) ProtoMessage() {} func (x *ReferrerItem) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[4] + mi := &file_controlplane_v1_referrer_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -353,7 +228,7 @@ func (x *ReferrerItem) ProtoReflect() protoreflect.Message { // Deprecated: Use ReferrerItem.ProtoReflect.Descriptor instead. func (*ReferrerItem) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{4} + return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{2} } func (x *ReferrerItem) GetDigest() string { @@ -377,13 +252,6 @@ func (x *ReferrerItem) GetDownloadable() bool { return false } -func (x *ReferrerItem) GetPublic() bool { - if x != nil { - return x.Public - } - return false -} - func (x *ReferrerItem) GetReferences() []*ReferrerItem { if x != nil { return x.References @@ -426,31 +294,17 @@ const file_controlplane_v1_referrer_proto_rawDesc = "" + "\fproject_name\x18\x04 \x01(\tR\vprojectName\x12'\n" + "\x0fproject_version\x18\x05 \x01(\tR\x0eprojectVersion:\xfb\x01\x92AQ\n" + "O*%ReferrerServiceDiscoverPrivateRequest2&Request to discover a private referrer\xbaH\xa3\x01\x1a\xa0\x01\n" + - ".discover_project_version_requires_project_name\x124project_name must be set when project_version is set\x1a8!(this.project_version != '' && this.project_name == '')\"\xf0\x01\n" + - "\x1bDiscoverPublicSharedRequest\x12\x1f\n" + - "\x06digest\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x06digest\x12\x12\n" + - "\x04kind\x18\x02 \x01(\tR\x04kind\x12H\n" + - "\n" + - "pagination\x18\x03 \x01(\v2(.controlplane.v1.CursorPaginationRequestR\n" + - "pagination:R\x92AM\n" + - "K*\x1bDiscoverPublicSharedRequest2,Request to discover a public shared referrer\x18\x01\"\xf3\x01\n" + - "\x1cDiscoverPublicSharedResponse\x125\n" + - "\x06result\x18\x01 \x01(\v2\x1d.controlplane.v1.ReferrerItemR\x06result\x12I\n" + - "\n" + - "pagination\x18\x02 \x01(\v2).controlplane.v1.CursorPaginationResponseR\n" + - "pagination:Q\x92AN\n" + - "L*\x1cDiscoverPublicSharedResponse2,Response for the DiscoverPublicShared method\"\x82\x02\n" + + ".discover_project_version_requires_project_name\x124project_name must be set when project_version is set\x1a8!(this.project_version != '' && this.project_name == '')\"\x82\x02\n" + "&ReferrerServiceDiscoverPrivateResponse\x125\n" + "\x06result\x18\x01 \x01(\v2\x1d.controlplane.v1.ReferrerItemR\x06result\x12I\n" + "\n" + "pagination\x18\x02 \x01(\v2).controlplane.v1.CursorPaginationResponseR\n" + "pagination:V\x92AS\n" + - "Q*&ReferrerServiceDiscoverPrivateResponse2'Response for the DiscoverPrivate method\"\xcc\x04\n" + + "Q*&ReferrerServiceDiscoverPrivateResponse2'Response for the DiscoverPrivate method\"\xc2\x04\n" + "\fReferrerItem\x12\x16\n" + "\x06digest\x18\x01 \x01(\tR\x06digest\x12\x12\n" + "\x04kind\x18\x02 \x01(\tR\x04kind\x12\"\n" + - "\fdownloadable\x18\x03 \x01(\bR\fdownloadable\x12\x16\n" + - "\x06public\x18\x06 \x01(\bR\x06public\x12=\n" + + "\fdownloadable\x18\x03 \x01(\bR\fdownloadable\x12=\n" + "\n" + "references\x18\x04 \x03(\v2\x1d.controlplane.v1.ReferrerItemR\n" + "references\x129\n" + @@ -464,10 +318,9 @@ const file_controlplane_v1_referrer_proto_rawDesc = "" + "\x10AnnotationsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01:B\x92A?\n" + - "=*\fReferrerItem2-It represents a referrer object in the system2\xac\x05\n" + + "=*\fReferrerItem2-It represents a referrer object in the systemJ\x04\b\x06\x10\aR\x06public2\x90\x03\n" + "\x0fReferrerService\x12\xa9\x02\n" + - "\x0fDiscoverPrivate\x126.controlplane.v1.ReferrerServiceDiscoverPrivateRequest\x1a7.controlplane.v1.ReferrerServiceDiscoverPrivateResponse\"\xa4\x01\x92A\x86\x01\x12\x19Discover private referrer\x1aWReturns the referrer item for a given digest in the organizations of the logged-in user:\x10application/json\x82\xd3\xe4\x93\x02\x14\x12\x12/discover/{digest}\x12\x99\x02\n" + - "\x14DiscoverPublicShared\x12,.controlplane.v1.DiscoverPublicSharedRequest\x1a-.controlplane.v1.DiscoverPublicSharedResponse\"\xa3\x01\x92A|\x12\x1fDiscover public shared referrer\x1aGReturns the referrer item for a given digest in the public shared index:\x10application/json\x82\xd3\xe4\x93\x02\x1b\x12\x19/discover/shared/{digest}\x88\x02\x01\x1aQ\x92AN\n" + + "\x0fDiscoverPrivate\x126.controlplane.v1.ReferrerServiceDiscoverPrivateRequest\x1a7.controlplane.v1.ReferrerServiceDiscoverPrivateResponse\"\xa4\x01\x92A\x86\x01\x12\x19Discover private referrer\x1aWReturns the referrer item for a given digest in the organizations of the logged-in user:\x10application/json\x82\xd3\xe4\x93\x02\x14\x12\x12/discover/{digest}\x1aQ\x92AN\n" + "\x0fReferrerService\x12;Referrer service for discovering referred content by digestBLZJgithub.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1;v1b\x06proto3" var ( @@ -482,39 +335,32 @@ func file_controlplane_v1_referrer_proto_rawDescGZIP() []byte { return file_controlplane_v1_referrer_proto_rawDescData } -var file_controlplane_v1_referrer_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_controlplane_v1_referrer_proto_msgTypes = make([]protoimpl.MessageInfo, 5) var file_controlplane_v1_referrer_proto_goTypes = []any{ (*ReferrerServiceDiscoverPrivateRequest)(nil), // 0: controlplane.v1.ReferrerServiceDiscoverPrivateRequest - (*DiscoverPublicSharedRequest)(nil), // 1: controlplane.v1.DiscoverPublicSharedRequest - (*DiscoverPublicSharedResponse)(nil), // 2: controlplane.v1.DiscoverPublicSharedResponse - (*ReferrerServiceDiscoverPrivateResponse)(nil), // 3: controlplane.v1.ReferrerServiceDiscoverPrivateResponse - (*ReferrerItem)(nil), // 4: controlplane.v1.ReferrerItem - nil, // 5: controlplane.v1.ReferrerItem.MetadataEntry - nil, // 6: controlplane.v1.ReferrerItem.AnnotationsEntry - (*CursorPaginationRequest)(nil), // 7: controlplane.v1.CursorPaginationRequest - (*CursorPaginationResponse)(nil), // 8: controlplane.v1.CursorPaginationResponse - (*timestamppb.Timestamp)(nil), // 9: google.protobuf.Timestamp + (*ReferrerServiceDiscoverPrivateResponse)(nil), // 1: controlplane.v1.ReferrerServiceDiscoverPrivateResponse + (*ReferrerItem)(nil), // 2: controlplane.v1.ReferrerItem + nil, // 3: controlplane.v1.ReferrerItem.MetadataEntry + nil, // 4: controlplane.v1.ReferrerItem.AnnotationsEntry + (*CursorPaginationRequest)(nil), // 5: controlplane.v1.CursorPaginationRequest + (*CursorPaginationResponse)(nil), // 6: controlplane.v1.CursorPaginationResponse + (*timestamppb.Timestamp)(nil), // 7: google.protobuf.Timestamp } var file_controlplane_v1_referrer_proto_depIdxs = []int32{ - 7, // 0: controlplane.v1.ReferrerServiceDiscoverPrivateRequest.pagination:type_name -> controlplane.v1.CursorPaginationRequest - 7, // 1: controlplane.v1.DiscoverPublicSharedRequest.pagination:type_name -> controlplane.v1.CursorPaginationRequest - 4, // 2: controlplane.v1.DiscoverPublicSharedResponse.result:type_name -> controlplane.v1.ReferrerItem - 8, // 3: controlplane.v1.DiscoverPublicSharedResponse.pagination:type_name -> controlplane.v1.CursorPaginationResponse - 4, // 4: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.result:type_name -> controlplane.v1.ReferrerItem - 8, // 5: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.pagination:type_name -> controlplane.v1.CursorPaginationResponse - 4, // 6: controlplane.v1.ReferrerItem.references:type_name -> controlplane.v1.ReferrerItem - 9, // 7: controlplane.v1.ReferrerItem.created_at:type_name -> google.protobuf.Timestamp - 5, // 8: controlplane.v1.ReferrerItem.metadata:type_name -> controlplane.v1.ReferrerItem.MetadataEntry - 6, // 9: controlplane.v1.ReferrerItem.annotations:type_name -> controlplane.v1.ReferrerItem.AnnotationsEntry - 0, // 10: controlplane.v1.ReferrerService.DiscoverPrivate:input_type -> controlplane.v1.ReferrerServiceDiscoverPrivateRequest - 1, // 11: controlplane.v1.ReferrerService.DiscoverPublicShared:input_type -> controlplane.v1.DiscoverPublicSharedRequest - 3, // 12: controlplane.v1.ReferrerService.DiscoverPrivate:output_type -> controlplane.v1.ReferrerServiceDiscoverPrivateResponse - 2, // 13: controlplane.v1.ReferrerService.DiscoverPublicShared:output_type -> controlplane.v1.DiscoverPublicSharedResponse - 12, // [12:14] is the sub-list for method output_type - 10, // [10:12] is the sub-list for method input_type - 10, // [10:10] is the sub-list for extension type_name - 10, // [10:10] is the sub-list for extension extendee - 0, // [0:10] is the sub-list for field type_name + 5, // 0: controlplane.v1.ReferrerServiceDiscoverPrivateRequest.pagination:type_name -> controlplane.v1.CursorPaginationRequest + 2, // 1: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.result:type_name -> controlplane.v1.ReferrerItem + 6, // 2: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.pagination:type_name -> controlplane.v1.CursorPaginationResponse + 2, // 3: controlplane.v1.ReferrerItem.references:type_name -> controlplane.v1.ReferrerItem + 7, // 4: controlplane.v1.ReferrerItem.created_at:type_name -> google.protobuf.Timestamp + 3, // 5: controlplane.v1.ReferrerItem.metadata:type_name -> controlplane.v1.ReferrerItem.MetadataEntry + 4, // 6: controlplane.v1.ReferrerItem.annotations:type_name -> controlplane.v1.ReferrerItem.AnnotationsEntry + 0, // 7: controlplane.v1.ReferrerService.DiscoverPrivate:input_type -> controlplane.v1.ReferrerServiceDiscoverPrivateRequest + 1, // 8: controlplane.v1.ReferrerService.DiscoverPrivate:output_type -> controlplane.v1.ReferrerServiceDiscoverPrivateResponse + 8, // [8:9] is the sub-list for method output_type + 7, // [7:8] is the sub-list for method input_type + 7, // [7:7] is the sub-list for extension type_name + 7, // [7:7] is the sub-list for extension extendee + 0, // [0:7] is the sub-list for field type_name } func init() { file_controlplane_v1_referrer_proto_init() } @@ -529,7 +375,7 @@ func file_controlplane_v1_referrer_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_controlplane_v1_referrer_proto_rawDesc), len(file_controlplane_v1_referrer_proto_rawDesc)), NumEnums: 0, - NumMessages: 7, + NumMessages: 5, NumExtensions: 0, NumServices: 1, }, diff --git a/app/controlplane/api/controlplane/v1/referrer.proto b/app/controlplane/api/controlplane/v1/referrer.proto index aeb6ba0b3..ce5be09f9 100644 --- a/app/controlplane/api/controlplane/v1/referrer.proto +++ b/app/controlplane/api/controlplane/v1/referrer.proto @@ -35,18 +35,6 @@ service ReferrerService { produces: ["application/json"] }; } - // DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - rpc DiscoverPublicShared(DiscoverPublicSharedRequest) returns (DiscoverPublicSharedResponse) { - option deprecated = true; - option (google.api.http) = {get: "/discover/shared/{digest}"}; - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { - summary: "Discover public shared referrer" - description: "Returns the referrer item for a given digest in the public shared index" - produces: ["application/json"] - }; - } - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_tag) = { name: "ReferrerService" description: "Referrer service for discovering referred content by digest" @@ -85,42 +73,6 @@ message ReferrerServiceDiscoverPrivateRequest { }; } -// DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method -// Deprecated: the public shared index is being retired. -message DiscoverPublicSharedRequest { - option deprecated = true; - - // Digest is the unique identifier of the referrer to discover - string digest = 1 [(buf.validate.field).string = {min_len: 1}]; - // Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ... - // Used to filter and resolve ambiguities - string kind = 2; - // Pagination options for the references list - CursorPaginationRequest pagination = 3; - - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { - json_schema: { - title: "DiscoverPublicSharedRequest" - description: "Request to discover a public shared referrer" - } - }; -} - -// DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method -message DiscoverPublicSharedResponse { - // Result is the discovered referrer item - ReferrerItem result = 1; - // Pagination information for the references list - CursorPaginationResponse pagination = 2; - - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { - json_schema: { - title: "DiscoverPublicSharedResponse" - description: "Response for the DiscoverPublicShared method" - } - }; -} - // ReferrerServiceDiscoverPrivateResponse is the response for the DiscoverPrivate method message ReferrerServiceDiscoverPrivateResponse { // Result is the discovered referrer item @@ -144,8 +96,8 @@ message ReferrerItem { string kind = 2; // Downloadable indicates whether the referrer is downloadable or not from CAS bool downloadable = 3; - // Public indicates whether the referrer is public since it belongs to a public workflow - bool public = 6; + reserved 6; + reserved "public"; // References contains the list of related referrer items repeated ReferrerItem references = 4; // CreatedAt is the timestamp when the referrer was created diff --git a/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go b/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go index 3f2303ee9..62856be96 100644 --- a/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go +++ b/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go @@ -34,8 +34,7 @@ import ( const _ = grpc.SupportPackageIsVersion7 const ( - ReferrerService_DiscoverPrivate_FullMethodName = "/controlplane.v1.ReferrerService/DiscoverPrivate" - ReferrerService_DiscoverPublicShared_FullMethodName = "/controlplane.v1.ReferrerService/DiscoverPublicShared" + ReferrerService_DiscoverPrivate_FullMethodName = "/controlplane.v1.ReferrerService/DiscoverPrivate" ) // ReferrerServiceClient is the client API for ReferrerService service. @@ -44,10 +43,6 @@ const ( type ReferrerServiceClient interface { // DiscoverPrivate returns the referrer item for a given digest in the organizations of the logged-in user DiscoverPrivate(ctx context.Context, in *ReferrerServiceDiscoverPrivateRequest, opts ...grpc.CallOption) (*ReferrerServiceDiscoverPrivateResponse, error) - // Deprecated: Do not use. - // DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - DiscoverPublicShared(ctx context.Context, in *DiscoverPublicSharedRequest, opts ...grpc.CallOption) (*DiscoverPublicSharedResponse, error) } type referrerServiceClient struct { @@ -67,26 +62,12 @@ func (c *referrerServiceClient) DiscoverPrivate(ctx context.Context, in *Referre return out, nil } -// Deprecated: Do not use. -func (c *referrerServiceClient) DiscoverPublicShared(ctx context.Context, in *DiscoverPublicSharedRequest, opts ...grpc.CallOption) (*DiscoverPublicSharedResponse, error) { - out := new(DiscoverPublicSharedResponse) - err := c.cc.Invoke(ctx, ReferrerService_DiscoverPublicShared_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - // ReferrerServiceServer is the server API for ReferrerService service. // All implementations must embed UnimplementedReferrerServiceServer // for forward compatibility type ReferrerServiceServer interface { // DiscoverPrivate returns the referrer item for a given digest in the organizations of the logged-in user DiscoverPrivate(context.Context, *ReferrerServiceDiscoverPrivateRequest) (*ReferrerServiceDiscoverPrivateResponse, error) - // Deprecated: Do not use. - // DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - DiscoverPublicShared(context.Context, *DiscoverPublicSharedRequest) (*DiscoverPublicSharedResponse, error) mustEmbedUnimplementedReferrerServiceServer() } @@ -97,9 +78,6 @@ type UnimplementedReferrerServiceServer struct { func (UnimplementedReferrerServiceServer) DiscoverPrivate(context.Context, *ReferrerServiceDiscoverPrivateRequest) (*ReferrerServiceDiscoverPrivateResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method DiscoverPrivate not implemented") } -func (UnimplementedReferrerServiceServer) DiscoverPublicShared(context.Context, *DiscoverPublicSharedRequest) (*DiscoverPublicSharedResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DiscoverPublicShared not implemented") -} func (UnimplementedReferrerServiceServer) mustEmbedUnimplementedReferrerServiceServer() {} // UnsafeReferrerServiceServer may be embedded to opt out of forward compatibility for this service. @@ -131,24 +109,6 @@ func _ReferrerService_DiscoverPrivate_Handler(srv interface{}, ctx context.Conte return interceptor(ctx, in, info, handler) } -func _ReferrerService_DiscoverPublicShared_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(DiscoverPublicSharedRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(ReferrerServiceServer).DiscoverPublicShared(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: ReferrerService_DiscoverPublicShared_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(ReferrerServiceServer).DiscoverPublicShared(ctx, req.(*DiscoverPublicSharedRequest)) - } - return interceptor(ctx, in, info, handler) -} - // ReferrerService_ServiceDesc is the grpc.ServiceDesc for ReferrerService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -160,10 +120,6 @@ var ReferrerService_ServiceDesc = grpc.ServiceDesc{ MethodName: "DiscoverPrivate", Handler: _ReferrerService_DiscoverPrivate_Handler, }, - { - MethodName: "DiscoverPublicShared", - Handler: _ReferrerService_DiscoverPublicShared_Handler, - }, }, Streams: []grpc.StreamDesc{}, Metadata: "controlplane/v1/referrer.proto", diff --git a/app/controlplane/api/controlplane/v1/referrer_http.pb.go b/app/controlplane/api/controlplane/v1/referrer_http.pb.go index 14d169f4c..24f71246a 100644 --- a/app/controlplane/api/controlplane/v1/referrer_http.pb.go +++ b/app/controlplane/api/controlplane/v1/referrer_http.pb.go @@ -20,20 +20,15 @@ var _ = binding.EncodeURL const _ = http.SupportPackageIsVersion1 const OperationReferrerServiceDiscoverPrivate = "/controlplane.v1.ReferrerService/DiscoverPrivate" -const OperationReferrerServiceDiscoverPublicShared = "/controlplane.v1.ReferrerService/DiscoverPublicShared" type ReferrerServiceHTTPServer interface { // DiscoverPrivate DiscoverPrivate returns the referrer item for a given digest in the organizations of the logged-in user DiscoverPrivate(context.Context, *ReferrerServiceDiscoverPrivateRequest) (*ReferrerServiceDiscoverPrivateResponse, error) - // DiscoverPublicShared DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - DiscoverPublicShared(context.Context, *DiscoverPublicSharedRequest) (*DiscoverPublicSharedResponse, error) } func RegisterReferrerServiceHTTPServer(s *http.Server, srv ReferrerServiceHTTPServer) { r := s.Route("/") r.GET("/discover/{digest}", _ReferrerService_DiscoverPrivate0_HTTP_Handler(srv)) - r.GET("/discover/shared/{digest}", _ReferrerService_DiscoverPublicShared0_HTTP_Handler(srv)) } func _ReferrerService_DiscoverPrivate0_HTTP_Handler(srv ReferrerServiceHTTPServer) func(ctx http.Context) error { @@ -58,31 +53,8 @@ func _ReferrerService_DiscoverPrivate0_HTTP_Handler(srv ReferrerServiceHTTPServe } } -func _ReferrerService_DiscoverPublicShared0_HTTP_Handler(srv ReferrerServiceHTTPServer) func(ctx http.Context) error { - return func(ctx http.Context) error { - var in DiscoverPublicSharedRequest - if err := ctx.BindQuery(&in); err != nil { - return err - } - if err := ctx.BindVars(&in); err != nil { - return err - } - http.SetOperation(ctx, OperationReferrerServiceDiscoverPublicShared) - h := ctx.Middleware(func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.DiscoverPublicShared(ctx, req.(*DiscoverPublicSharedRequest)) - }) - out, err := h(ctx, &in) - if err != nil { - return err - } - reply := out.(*DiscoverPublicSharedResponse) - return ctx.Result(200, reply) - } -} - type ReferrerServiceHTTPClient interface { DiscoverPrivate(ctx context.Context, req *ReferrerServiceDiscoverPrivateRequest, opts ...http.CallOption) (rsp *ReferrerServiceDiscoverPrivateResponse, err error) - DiscoverPublicShared(ctx context.Context, req *DiscoverPublicSharedRequest, opts ...http.CallOption) (rsp *DiscoverPublicSharedResponse, err error) } type ReferrerServiceHTTPClientImpl struct { @@ -105,16 +77,3 @@ func (c *ReferrerServiceHTTPClientImpl) DiscoverPrivate(ctx context.Context, in } return &out, err } - -func (c *ReferrerServiceHTTPClientImpl) DiscoverPublicShared(ctx context.Context, in *DiscoverPublicSharedRequest, opts ...http.CallOption) (*DiscoverPublicSharedResponse, error) { - var out DiscoverPublicSharedResponse - pattern := "/discover/shared/{digest}" - path := binding.EncodeURL(pattern, in, true) - opts = append(opts, http.Operation(OperationReferrerServiceDiscoverPublicShared)) - opts = append(opts, http.PathTemplate(pattern)) - err := c.cc.Invoke(ctx, "GET", path, nil, &out, opts...) - if err != nil { - return nil, err - } - return &out, err -} diff --git a/app/controlplane/api/controlplane/v1/response_messages.pb.go b/app/controlplane/api/controlplane/v1/response_messages.pb.go index 98354281b..1f996e42f 100644 --- a/app/controlplane/api/controlplane/v1/response_messages.pb.go +++ b/app/controlplane/api/controlplane/v1/response_messages.pb.go @@ -742,9 +742,10 @@ type WorkflowItem struct { ContractName string `protobuf:"bytes,8,opt,name=contract_name,json=contractName,proto3" json:"contract_name,omitempty"` // Current, latest revision of the contract ContractRevisionLatest int32 `protobuf:"varint,11,opt,name=contract_revision_latest,json=contractRevisionLatest,proto3" json:"contract_revision_latest,omitempty"` - // A public workflow means that any user can - // - access to all its workflow runs - // - their attestation and materials + // Deprecated: public workflows were removed. This field is always false and + // is retained only for wire compatibility; it will be removed in a future release. + // + // Deprecated: Marked as deprecated in controlplane/v1/response_messages.proto. Public bool `protobuf:"varint,9,opt,name=public,proto3" json:"public,omitempty"` Description string `protobuf:"bytes,10,opt,name=description,proto3" json:"description,omitempty"` unknownFields protoimpl.UnknownFields @@ -851,6 +852,7 @@ func (x *WorkflowItem) GetContractRevisionLatest() int32 { return 0 } +// Deprecated: Marked as deprecated in controlplane/v1/response_messages.proto. func (x *WorkflowItem) GetPublic() bool { if x != nil { return x.Public @@ -3101,7 +3103,7 @@ var File_controlplane_v1_response_messages_proto protoreflect.FileDescriptor const file_controlplane_v1_response_messages_proto_rawDesc = "" + "\n" + - "'controlplane/v1/response_messages.proto\x12\x0fcontrolplane.v1\x1a#attestation/v1/crafting_state.proto\x1a\x1bbuf/validate/validate.proto\x1a\x13errors/errors.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\xb9\x03\n" + + "'controlplane/v1/response_messages.proto\x12\x0fcontrolplane.v1\x1a#attestation/v1/crafting_state.proto\x1a\x1bbuf/validate/validate.proto\x1a\x13errors/errors.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\xbd\x03\n" + "\fWorkflowItem\x12\x0e\n" + "\x02id\x18\x01 \x01(\tR\x02id\x12\x12\n" + "\x04name\x18\x02 \x01(\tR\x04name\x12\x18\n" + @@ -3115,8 +3117,8 @@ const file_controlplane_v1_response_messages_proto_rawDesc = "" + "runs_count\x18\x06 \x01(\x05R\trunsCount\x12;\n" + "\blast_run\x18\a \x01(\v2 .controlplane.v1.WorkflowRunItemR\alastRun\x12#\n" + "\rcontract_name\x18\b \x01(\tR\fcontractName\x128\n" + - "\x18contract_revision_latest\x18\v \x01(\x05R\x16contractRevisionLatest\x12\x16\n" + - "\x06public\x18\t \x01(\bR\x06public\x12 \n" + + "\x18contract_revision_latest\x18\v \x01(\x05R\x16contractRevisionLatest\x12\x1a\n" + + "\x06public\x18\t \x01(\bB\x02\x18\x01R\x06public\x12 \n" + "\vdescription\x18\n" + " \x01(\tR\vdescription\"\xd3\x06\n" + "\x0fWorkflowRunItem\x12\x0e\n" + diff --git a/app/controlplane/api/controlplane/v1/response_messages.proto b/app/controlplane/api/controlplane/v1/response_messages.proto index e7d79f43d..10d275536 100644 --- a/app/controlplane/api/controlplane/v1/response_messages.proto +++ b/app/controlplane/api/controlplane/v1/response_messages.proto @@ -38,10 +38,9 @@ message WorkflowItem { string contract_name = 8; // Current, latest revision of the contract int32 contract_revision_latest = 11; - // A public workflow means that any user can - // - access to all its workflow runs - // - their attestation and materials - bool public = 9; + // Deprecated: public workflows were removed. This field is always false and + // is retained only for wire compatibility; it will be removed in a future release. + bool public = 9 [deprecated = true]; string description = 10; } diff --git a/app/controlplane/api/controlplane/v1/workflow.pb.go b/app/controlplane/api/controlplane/v1/workflow.pb.go index 093f4a463..fb7c605c9 100644 --- a/app/controlplane/api/controlplane/v1/workflow.pb.go +++ b/app/controlplane/api/controlplane/v1/workflow.pb.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -102,7 +102,6 @@ type WorkflowServiceCreateRequest struct { ContractBytes []byte `protobuf:"bytes,4,opt,name=contract_bytes,json=contractBytes,proto3" json:"contract_bytes,omitempty"` Team string `protobuf:"bytes,5,opt,name=team,proto3" json:"team,omitempty"` Description string `protobuf:"bytes,6,opt,name=description,proto3" json:"description,omitempty"` - Public bool `protobuf:"varint,7,opt,name=public,proto3" json:"public,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -179,13 +178,6 @@ func (x *WorkflowServiceCreateRequest) GetDescription() string { return "" } -func (x *WorkflowServiceCreateRequest) GetPublic() bool { - if x != nil { - return x.Public - } - return false -} - type WorkflowServiceUpdateRequest struct { state protoimpl.MessageState `protogen:"open.v1"` Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` @@ -193,7 +185,6 @@ type WorkflowServiceUpdateRequest struct { // and not just the default value ProjectName string `protobuf:"bytes,3,opt,name=project_name,json=projectName,proto3" json:"project_name,omitempty"` Team *string `protobuf:"bytes,4,opt,name=team,proto3,oneof" json:"team,omitempty"` - Public *bool `protobuf:"varint,5,opt,name=public,proto3,oneof" json:"public,omitempty"` Description *string `protobuf:"bytes,6,opt,name=description,proto3,oneof" json:"description,omitempty"` ContractName *string `protobuf:"bytes,7,opt,name=contract_name,json=contractName,proto3,oneof" json:"contract_name,omitempty"` unknownFields protoimpl.UnknownFields @@ -251,13 +242,6 @@ func (x *WorkflowServiceUpdateRequest) GetTeam() string { return "" } -func (x *WorkflowServiceUpdateRequest) GetPublic() bool { - if x != nil && x.Public != nil { - return *x.Public - } - return false -} - func (x *WorkflowServiceUpdateRequest) GetDescription() string { if x != nil && x.Description != nil { return *x.Description @@ -458,8 +442,6 @@ type WorkflowServiceListRequest struct { ProjectNames []string `protobuf:"bytes,3,rep,name=project_names,json=projectNames,proto3" json:"project_names,omitempty"` // The description of the workflow WorkflowDescription string `protobuf:"bytes,4,opt,name=workflow_description,json=workflowDescription,proto3" json:"workflow_description,omitempty"` - // If the workflow is public - WorkflowPublic *bool `protobuf:"varint,5,opt,name=workflow_public,json=workflowPublic,proto3,oneof" json:"workflow_public,omitempty"` // The type of runner that ran the workflow WorkflowRunRunnerType v1.CraftingSchema_Runner_RunnerType `protobuf:"varint,6,opt,name=workflow_run_runner_type,json=workflowRunRunnerType,proto3,enum=workflowcontract.v1.CraftingSchema_Runner_RunnerType" json:"workflow_run_runner_type,omitempty"` // The status of the last workflow run @@ -532,13 +514,6 @@ func (x *WorkflowServiceListRequest) GetWorkflowDescription() string { return "" } -func (x *WorkflowServiceListRequest) GetWorkflowPublic() bool { - if x != nil && x.WorkflowPublic != nil { - return *x.WorkflowPublic - } - return false -} - func (x *WorkflowServiceListRequest) GetWorkflowRunRunnerType() v1.CraftingSchema_Runner_RunnerType { if x != nil { return x.WorkflowRunRunnerType @@ -726,7 +701,7 @@ var File_controlplane_v1_workflow_proto protoreflect.FileDescriptor const file_controlplane_v1_workflow_proto_rawDesc = "" + "\n" + - "\x1econtrolplane/v1/workflow.proto\x12\x0fcontrolplane.v1\x1a\x1bbuf/validate/validate.proto\x1a controlplane/v1/pagination.proto\x1a'controlplane/v1/response_messages.proto\x1a\x1ejsonfilter/v1/jsonfilter.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\x88\x04\n" + + "\x1econtrolplane/v1/workflow.proto\x12\x0fcontrolplane.v1\x1a\x1bbuf/validate/validate.proto\x1a controlplane/v1/pagination.proto\x1a'controlplane/v1/response_messages.proto\x1a\x1ejsonfilter/v1/jsonfilter.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\xfe\x03\n" + "\x1cWorkflowServiceCreateRequest\x12\x97\x01\n" + "\x04name\x18\x01 \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12*\n" + @@ -735,21 +710,18 @@ const file_controlplane_v1_workflow_proto_rawDesc = "" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')\xd8\x01\x01R\fcontractName\x12%\n" + "\x0econtract_bytes\x18\x04 \x01(\fR\rcontractBytes\x12\x12\n" + "\x04team\x18\x05 \x01(\tR\x04team\x12 \n" + - "\vdescription\x18\x06 \x01(\tR\vdescription\x12\x16\n" + - "\x06public\x18\a \x01(\bR\x06public\"\xa7\x04\n" + + "\vdescription\x18\x06 \x01(\tR\vdescriptionJ\x04\b\a\x10\bR\x06public\"\x8d\x04\n" + "\x1cWorkflowServiceUpdateRequest\x12\x97\x01\n" + "\x04name\x18\x01 \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12*\n" + "\fproject_name\x18\x03 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\vprojectName\x12\x17\n" + - "\x04team\x18\x04 \x01(\tH\x00R\x04team\x88\x01\x01\x12\x1b\n" + - "\x06public\x18\x05 \x01(\bH\x01R\x06public\x88\x01\x01\x12%\n" + - "\vdescription\x18\x06 \x01(\tH\x02R\vdescription\x88\x01\x01\x12\xad\x01\n" + + "\x04team\x18\x04 \x01(\tH\x00R\x04team\x88\x01\x01\x12%\n" + + "\vdescription\x18\x06 \x01(\tH\x01R\vdescription\x88\x01\x01\x12\xad\x01\n" + "\rcontract_name\x18\a \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + - "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')H\x03R\fcontractName\x88\x01\x01B\a\n" + - "\x05_teamB\t\n" + - "\a_publicB\x0e\n" + + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')H\x02R\fcontractName\x88\x01\x01B\a\n" + + "\x05_teamB\x0e\n" + "\f_descriptionB\x10\n" + - "\x0e_contract_name\"V\n" + + "\x0e_contract_nameJ\x04\b\x05\x10\x06R\x06public\"V\n" + "\x1dWorkflowServiceUpdateResponse\x125\n" + "\x06result\x18\x01 \x01(\v2\x1d.controlplane.v1.WorkflowItemR\x06result\"V\n" + "\x1dWorkflowServiceCreateResponse\x125\n" + @@ -758,13 +730,12 @@ const file_controlplane_v1_workflow_proto_rawDesc = "" + "\x04name\x18\x01 \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12*\n" + "\fproject_name\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\vprojectName\"\x1f\n" + - "\x1dWorkflowServiceDeleteResponse\"\xd3\x05\n" + + "\x1dWorkflowServiceDeleteResponse\"\xa8\x05\n" + "\x1aWorkflowServiceListRequest\x12#\n" + "\rworkflow_name\x18\x01 \x01(\tR\fworkflowName\x12#\n" + "\rworkflow_team\x18\x02 \x01(\tR\fworkflowTeam\x12#\n" + "\rproject_names\x18\x03 \x03(\tR\fprojectNames\x121\n" + - "\x14workflow_description\x18\x04 \x01(\tR\x13workflowDescription\x12,\n" + - "\x0fworkflow_public\x18\x05 \x01(\bH\x00R\x0eworkflowPublic\x88\x01\x01\x12n\n" + + "\x14workflow_description\x18\x04 \x01(\tR\x13workflowDescription\x12n\n" + "\x18workflow_run_runner_type\x18\x06 \x01(\x0e25.workflowcontract.v1.CraftingSchema.Runner.RunnerTypeR\x15workflowRunRunnerType\x12`\n" + "\x18workflow_run_last_status\x18\a \x01(\x0e2\x1a.controlplane.v1.RunStatusB\v\xbaH\b\xd8\x01\x01\x82\x01\x02 \x00R\x15workflowRunLastStatus\x12w\n" + "\x1dworkflow_last_activity_window\x18\b \x01(\x0e2'.controlplane.v1.WorkflowActivityWindowB\v\xbaH\b\xd8\x01\x01\x82\x01\x02 \x00R\x1aworkflowLastActivityWindow\x12H\n" + @@ -772,8 +743,7 @@ const file_controlplane_v1_workflow_proto_rawDesc = "" + "pagination\x18\t \x01(\v2(.controlplane.v1.OffsetPaginationRequestR\n" + "pagination\x12<\n" + "\fjson_filters\x18\n" + - " \x03(\v2\x19.jsonfilter.v1.JSONFilterR\vjsonFiltersB\x12\n" + - "\x10_workflow_public\"\x9f\x01\n" + + " \x03(\v2\x19.jsonfilter.v1.JSONFilterR\vjsonFiltersJ\x04\b\x05\x10\x06R\x0fworkflow_public\"\x9f\x01\n" + "\x1bWorkflowServiceListResponse\x125\n" + "\x06result\x18\x01 \x03(\v2\x1d.controlplane.v1.WorkflowItemR\x06result\x12I\n" + "\n" + @@ -866,7 +836,6 @@ func file_controlplane_v1_workflow_proto_init() { file_controlplane_v1_pagination_proto_init() file_controlplane_v1_response_messages_proto_init() file_controlplane_v1_workflow_proto_msgTypes[1].OneofWrappers = []any{} - file_controlplane_v1_workflow_proto_msgTypes[6].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ diff --git a/app/controlplane/api/controlplane/v1/workflow.proto b/app/controlplane/api/controlplane/v1/workflow.proto index ee15c87a2..3fd94eace 100644 --- a/app/controlplane/api/controlplane/v1/workflow.proto +++ b/app/controlplane/api/controlplane/v1/workflow.proto @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -58,7 +58,8 @@ message WorkflowServiceCreateRequest { string team = 5; string description = 6; - bool public = 7; + reserved 7; + reserved "public"; } message WorkflowServiceUpdateRequest { @@ -74,7 +75,8 @@ message WorkflowServiceUpdateRequest { // and not just the default value string project_name = 3 [(buf.validate.field).string = {min_len: 1}]; optional string team = 4; - optional bool public = 5; + reserved 5; + reserved "public"; optional string description = 6; optional string contract_name = 7 [(buf.validate.field) = { cel: { @@ -117,8 +119,8 @@ message WorkflowServiceListRequest { repeated string project_names = 3; // The description of the workflow string workflow_description = 4; - // If the workflow is public - optional bool workflow_public = 5; + reserved 5; + reserved "workflow_public"; // The type of runner that ran the workflow workflowcontract.v1.CraftingSchema.Runner.RunnerType workflow_run_runner_type = 6; // The status of the last workflow run diff --git a/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go b/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go index 02110b47e..0db490825 100644 --- a/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go +++ b/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts b/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts index 7d3dc8408..270c7e357 100644 --- a/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts +++ b/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts @@ -30,32 +30,6 @@ export interface ReferrerServiceDiscoverPrivateRequest { projectVersion: string; } -/** - * DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method - * Deprecated: the public shared index is being retired. - * - * @deprecated - */ -export interface DiscoverPublicSharedRequest { - /** Digest is the unique identifier of the referrer to discover */ - digest: string; - /** - * Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ... - * Used to filter and resolve ambiguities - */ - kind: string; - /** Pagination options for the references list */ - pagination?: CursorPaginationRequest; -} - -/** DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method */ -export interface DiscoverPublicSharedResponse { - /** Result is the discovered referrer item */ - result?: ReferrerItem; - /** Pagination information for the references list */ - pagination?: CursorPaginationResponse; -} - /** ReferrerServiceDiscoverPrivateResponse is the response for the DiscoverPrivate method */ export interface ReferrerServiceDiscoverPrivateResponse { /** Result is the discovered referrer item */ @@ -72,8 +46,6 @@ export interface ReferrerItem { kind: string; /** Downloadable indicates whether the referrer is downloadable or not from CAS */ downloadable: boolean; - /** Public indicates whether the referrer is public since it belongs to a public workflow */ - public: boolean; /** References contains the list of related referrer items */ references: ReferrerItem[]; /** CreatedAt is the timestamp when the referrer was created */ @@ -211,169 +183,6 @@ export const ReferrerServiceDiscoverPrivateRequest = { }, }; -function createBaseDiscoverPublicSharedRequest(): DiscoverPublicSharedRequest { - return { digest: "", kind: "", pagination: undefined }; -} - -export const DiscoverPublicSharedRequest = { - encode(message: DiscoverPublicSharedRequest, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer { - if (message.digest !== "") { - writer.uint32(10).string(message.digest); - } - if (message.kind !== "") { - writer.uint32(18).string(message.kind); - } - if (message.pagination !== undefined) { - CursorPaginationRequest.encode(message.pagination, writer.uint32(26).fork()).ldelim(); - } - return writer; - }, - - decode(input: _m0.Reader | Uint8Array, length?: number): DiscoverPublicSharedRequest { - const reader = input instanceof _m0.Reader ? input : _m0.Reader.create(input); - let end = length === undefined ? reader.len : reader.pos + length; - const message = createBaseDiscoverPublicSharedRequest(); - while (reader.pos < end) { - const tag = reader.uint32(); - switch (tag >>> 3) { - case 1: - if (tag !== 10) { - break; - } - - message.digest = reader.string(); - continue; - case 2: - if (tag !== 18) { - break; - } - - message.kind = reader.string(); - continue; - case 3: - if (tag !== 26) { - break; - } - - message.pagination = CursorPaginationRequest.decode(reader, reader.uint32()); - continue; - } - if ((tag & 7) === 4 || tag === 0) { - break; - } - reader.skipType(tag & 7); - } - return message; - }, - - fromJSON(object: any): DiscoverPublicSharedRequest { - return { - digest: isSet(object.digest) ? String(object.digest) : "", - kind: isSet(object.kind) ? String(object.kind) : "", - pagination: isSet(object.pagination) ? CursorPaginationRequest.fromJSON(object.pagination) : undefined, - }; - }, - - toJSON(message: DiscoverPublicSharedRequest): unknown { - const obj: any = {}; - message.digest !== undefined && (obj.digest = message.digest); - message.kind !== undefined && (obj.kind = message.kind); - message.pagination !== undefined && - (obj.pagination = message.pagination ? CursorPaginationRequest.toJSON(message.pagination) : undefined); - return obj; - }, - - create, I>>(base?: I): DiscoverPublicSharedRequest { - return DiscoverPublicSharedRequest.fromPartial(base ?? {}); - }, - - fromPartial, I>>(object: I): DiscoverPublicSharedRequest { - const message = createBaseDiscoverPublicSharedRequest(); - message.digest = object.digest ?? ""; - message.kind = object.kind ?? ""; - message.pagination = (object.pagination !== undefined && object.pagination !== null) - ? CursorPaginationRequest.fromPartial(object.pagination) - : undefined; - return message; - }, -}; - -function createBaseDiscoverPublicSharedResponse(): DiscoverPublicSharedResponse { - return { result: undefined, pagination: undefined }; -} - -export const DiscoverPublicSharedResponse = { - encode(message: DiscoverPublicSharedResponse, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer { - if (message.result !== undefined) { - ReferrerItem.encode(message.result, writer.uint32(10).fork()).ldelim(); - } - if (message.pagination !== undefined) { - CursorPaginationResponse.encode(message.pagination, writer.uint32(18).fork()).ldelim(); - } - return writer; - }, - - decode(input: _m0.Reader | Uint8Array, length?: number): DiscoverPublicSharedResponse { - const reader = input instanceof _m0.Reader ? input : _m0.Reader.create(input); - let end = length === undefined ? reader.len : reader.pos + length; - const message = createBaseDiscoverPublicSharedResponse(); - while (reader.pos < end) { - const tag = reader.uint32(); - switch (tag >>> 3) { - case 1: - if (tag !== 10) { - break; - } - - message.result = ReferrerItem.decode(reader, reader.uint32()); - continue; - case 2: - if (tag !== 18) { - break; - } - - message.pagination = CursorPaginationResponse.decode(reader, reader.uint32()); - continue; - } - if ((tag & 7) === 4 || tag === 0) { - break; - } - reader.skipType(tag & 7); - } - return message; - }, - - fromJSON(object: any): DiscoverPublicSharedResponse { - return { - result: isSet(object.result) ? ReferrerItem.fromJSON(object.result) : undefined, - pagination: isSet(object.pagination) ? CursorPaginationResponse.fromJSON(object.pagination) : undefined, - }; - }, - - toJSON(message: DiscoverPublicSharedResponse): unknown { - const obj: any = {}; - message.result !== undefined && (obj.result = message.result ? ReferrerItem.toJSON(message.result) : undefined); - message.pagination !== undefined && - (obj.pagination = message.pagination ? CursorPaginationResponse.toJSON(message.pagination) : undefined); - return obj; - }, - - create, I>>(base?: I): DiscoverPublicSharedResponse { - return DiscoverPublicSharedResponse.fromPartial(base ?? {}); - }, - - fromPartial, I>>(object: I): DiscoverPublicSharedResponse { - const message = createBaseDiscoverPublicSharedResponse(); - message.result = (object.result !== undefined && object.result !== null) - ? ReferrerItem.fromPartial(object.result) - : undefined; - message.pagination = (object.pagination !== undefined && object.pagination !== null) - ? CursorPaginationResponse.fromPartial(object.pagination) - : undefined; - return message; - }, -}; - function createBaseReferrerServiceDiscoverPrivateResponse(): ReferrerServiceDiscoverPrivateResponse { return { result: undefined, pagination: undefined }; } @@ -459,7 +268,6 @@ function createBaseReferrerItem(): ReferrerItem { digest: "", kind: "", downloadable: false, - public: false, references: [], createdAt: undefined, metadata: {}, @@ -478,9 +286,6 @@ export const ReferrerItem = { if (message.downloadable === true) { writer.uint32(24).bool(message.downloadable); } - if (message.public === true) { - writer.uint32(48).bool(message.public); - } for (const v of message.references) { ReferrerItem.encode(v!, writer.uint32(34).fork()).ldelim(); } @@ -524,13 +329,6 @@ export const ReferrerItem = { message.downloadable = reader.bool(); continue; - case 6: - if (tag !== 48) { - break; - } - - message.public = reader.bool(); - continue; case 4: if (tag !== 34) { break; @@ -579,7 +377,6 @@ export const ReferrerItem = { digest: isSet(object.digest) ? String(object.digest) : "", kind: isSet(object.kind) ? String(object.kind) : "", downloadable: isSet(object.downloadable) ? Boolean(object.downloadable) : false, - public: isSet(object.public) ? Boolean(object.public) : false, references: Array.isArray(object?.references) ? object.references.map((e: any) => ReferrerItem.fromJSON(e)) : [], createdAt: isSet(object.createdAt) ? fromJsonTimestamp(object.createdAt) : undefined, metadata: isObject(object.metadata) @@ -602,7 +399,6 @@ export const ReferrerItem = { message.digest !== undefined && (obj.digest = message.digest); message.kind !== undefined && (obj.kind = message.kind); message.downloadable !== undefined && (obj.downloadable = message.downloadable); - message.public !== undefined && (obj.public = message.public); if (message.references) { obj.references = message.references.map((e) => e ? ReferrerItem.toJSON(e) : undefined); } else { @@ -633,7 +429,6 @@ export const ReferrerItem = { message.digest = object.digest ?? ""; message.kind = object.kind ?? ""; message.downloadable = object.downloadable ?? false; - message.public = object.public ?? false; message.references = object.references?.map((e) => ReferrerItem.fromPartial(e)) || []; message.createdAt = object.createdAt ?? undefined; message.metadata = Object.entries(object.metadata ?? {}).reduce<{ [key: string]: string }>((acc, [key, value]) => { @@ -799,16 +594,6 @@ export interface ReferrerService { request: DeepPartial, metadata?: grpc.Metadata, ): Promise; - /** - * DiscoverPublicShared returns the referrer item for a given digest in the public shared index - * Deprecated: the public shared index is being retired. - * - * @deprecated - */ - DiscoverPublicShared( - request: DeepPartial, - metadata?: grpc.Metadata, - ): Promise; } export class ReferrerServiceClientImpl implements ReferrerService { @@ -817,7 +602,6 @@ export class ReferrerServiceClientImpl implements ReferrerService { constructor(rpc: Rpc) { this.rpc = rpc; this.DiscoverPrivate = this.DiscoverPrivate.bind(this); - this.DiscoverPublicShared = this.DiscoverPublicShared.bind(this); } DiscoverPrivate( @@ -830,17 +614,6 @@ export class ReferrerServiceClientImpl implements ReferrerService { metadata, ); } - - DiscoverPublicShared( - request: DeepPartial, - metadata?: grpc.Metadata, - ): Promise { - return this.rpc.unary( - ReferrerServiceDiscoverPublicSharedDesc, - DiscoverPublicSharedRequest.fromPartial(request), - metadata, - ); - } } export const ReferrerServiceDesc = { serviceName: "controlplane.v1.ReferrerService" }; @@ -868,29 +641,6 @@ export const ReferrerServiceDiscoverPrivateDesc: UnaryMethodDefinitionish = { } as any, }; -export const ReferrerServiceDiscoverPublicSharedDesc: UnaryMethodDefinitionish = { - methodName: "DiscoverPublicShared", - service: ReferrerServiceDesc, - requestStream: false, - responseStream: false, - requestType: { - serializeBinary() { - return DiscoverPublicSharedRequest.encode(this).finish(); - }, - } as any, - responseType: { - deserializeBinary(data: Uint8Array) { - const value = DiscoverPublicSharedResponse.decode(data); - return { - ...value, - toObject() { - return value; - }, - }; - }, - } as any, -}; - interface UnaryMethodDefinitionishR extends grpc.UnaryMethodDefinition { requestStream: any; responseStream: any; diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts b/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts index dea3ff5c2..e23dc8273 100644 --- a/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts +++ b/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts @@ -501,9 +501,10 @@ export interface WorkflowItem { /** Current, latest revision of the contract */ contractRevisionLatest: number; /** - * A public workflow means that any user can - * - access to all its workflow runs - * - their attestation and materials + * Deprecated: public workflows were removed. This field is always false and + * is retained only for wire compatibility; it will be removed in a future release. + * + * @deprecated */ public: boolean; description: string; diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts b/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts index da433d54b..213aa85a6 100644 --- a/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts +++ b/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts @@ -68,7 +68,6 @@ export interface WorkflowServiceCreateRequest { contractBytes: Uint8Array; team: string; description: string; - public: boolean; } export interface WorkflowServiceUpdateRequest { @@ -79,7 +78,6 @@ export interface WorkflowServiceUpdateRequest { */ projectName: string; team?: string | undefined; - public?: boolean | undefined; description?: string | undefined; contractName?: string | undefined; } @@ -109,10 +107,6 @@ export interface WorkflowServiceListRequest { projectNames: string[]; /** The description of the workflow */ workflowDescription: string; - /** If the workflow is public */ - workflowPublic?: - | boolean - | undefined; /** The type of runner that ran the workflow */ workflowRunRunnerType: CraftingSchema_Runner_RunnerType; /** The status of the last workflow run */ @@ -140,15 +134,7 @@ export interface WorkflowServiceViewResponse { } function createBaseWorkflowServiceCreateRequest(): WorkflowServiceCreateRequest { - return { - name: "", - projectName: "", - contractName: "", - contractBytes: new Uint8Array(0), - team: "", - description: "", - public: false, - }; + return { name: "", projectName: "", contractName: "", contractBytes: new Uint8Array(0), team: "", description: "" }; } export const WorkflowServiceCreateRequest = { @@ -171,9 +157,6 @@ export const WorkflowServiceCreateRequest = { if (message.description !== "") { writer.uint32(50).string(message.description); } - if (message.public === true) { - writer.uint32(56).bool(message.public); - } return writer; }, @@ -226,13 +209,6 @@ export const WorkflowServiceCreateRequest = { message.description = reader.string(); continue; - case 7: - if (tag !== 56) { - break; - } - - message.public = reader.bool(); - continue; } if ((tag & 7) === 4 || tag === 0) { break; @@ -250,7 +226,6 @@ export const WorkflowServiceCreateRequest = { contractBytes: isSet(object.contractBytes) ? bytesFromBase64(object.contractBytes) : new Uint8Array(0), team: isSet(object.team) ? String(object.team) : "", description: isSet(object.description) ? String(object.description) : "", - public: isSet(object.public) ? Boolean(object.public) : false, }; }, @@ -265,7 +240,6 @@ export const WorkflowServiceCreateRequest = { )); message.team !== undefined && (obj.team = message.team); message.description !== undefined && (obj.description = message.description); - message.public !== undefined && (obj.public = message.public); return obj; }, @@ -281,20 +255,12 @@ export const WorkflowServiceCreateRequest = { message.contractBytes = object.contractBytes ?? new Uint8Array(0); message.team = object.team ?? ""; message.description = object.description ?? ""; - message.public = object.public ?? false; return message; }, }; function createBaseWorkflowServiceUpdateRequest(): WorkflowServiceUpdateRequest { - return { - name: "", - projectName: "", - team: undefined, - public: undefined, - description: undefined, - contractName: undefined, - }; + return { name: "", projectName: "", team: undefined, description: undefined, contractName: undefined }; } export const WorkflowServiceUpdateRequest = { @@ -308,9 +274,6 @@ export const WorkflowServiceUpdateRequest = { if (message.team !== undefined) { writer.uint32(34).string(message.team); } - if (message.public !== undefined) { - writer.uint32(40).bool(message.public); - } if (message.description !== undefined) { writer.uint32(50).string(message.description); } @@ -348,13 +311,6 @@ export const WorkflowServiceUpdateRequest = { message.team = reader.string(); continue; - case 5: - if (tag !== 40) { - break; - } - - message.public = reader.bool(); - continue; case 6: if (tag !== 50) { break; @@ -383,7 +339,6 @@ export const WorkflowServiceUpdateRequest = { name: isSet(object.name) ? String(object.name) : "", projectName: isSet(object.projectName) ? String(object.projectName) : "", team: isSet(object.team) ? String(object.team) : undefined, - public: isSet(object.public) ? Boolean(object.public) : undefined, description: isSet(object.description) ? String(object.description) : undefined, contractName: isSet(object.contractName) ? String(object.contractName) : undefined, }; @@ -394,7 +349,6 @@ export const WorkflowServiceUpdateRequest = { message.name !== undefined && (obj.name = message.name); message.projectName !== undefined && (obj.projectName = message.projectName); message.team !== undefined && (obj.team = message.team); - message.public !== undefined && (obj.public = message.public); message.description !== undefined && (obj.description = message.description); message.contractName !== undefined && (obj.contractName = message.contractName); return obj; @@ -409,7 +363,6 @@ export const WorkflowServiceUpdateRequest = { message.name = object.name ?? ""; message.projectName = object.projectName ?? ""; message.team = object.team ?? undefined; - message.public = object.public ?? undefined; message.description = object.description ?? undefined; message.contractName = object.contractName ?? undefined; return message; @@ -657,7 +610,6 @@ function createBaseWorkflowServiceListRequest(): WorkflowServiceListRequest { workflowTeam: "", projectNames: [], workflowDescription: "", - workflowPublic: undefined, workflowRunRunnerType: 0, workflowRunLastStatus: 0, workflowLastActivityWindow: 0, @@ -680,9 +632,6 @@ export const WorkflowServiceListRequest = { if (message.workflowDescription !== "") { writer.uint32(34).string(message.workflowDescription); } - if (message.workflowPublic !== undefined) { - writer.uint32(40).bool(message.workflowPublic); - } if (message.workflowRunRunnerType !== 0) { writer.uint32(48).int32(message.workflowRunRunnerType); } @@ -736,13 +685,6 @@ export const WorkflowServiceListRequest = { message.workflowDescription = reader.string(); continue; - case 5: - if (tag !== 40) { - break; - } - - message.workflowPublic = reader.bool(); - continue; case 6: if (tag !== 48) { break; @@ -793,7 +735,6 @@ export const WorkflowServiceListRequest = { workflowTeam: isSet(object.workflowTeam) ? String(object.workflowTeam) : "", projectNames: Array.isArray(object?.projectNames) ? object.projectNames.map((e: any) => String(e)) : [], workflowDescription: isSet(object.workflowDescription) ? String(object.workflowDescription) : "", - workflowPublic: isSet(object.workflowPublic) ? Boolean(object.workflowPublic) : undefined, workflowRunRunnerType: isSet(object.workflowRunRunnerType) ? craftingSchema_Runner_RunnerTypeFromJSON(object.workflowRunRunnerType) : 0, @@ -816,7 +757,6 @@ export const WorkflowServiceListRequest = { obj.projectNames = []; } message.workflowDescription !== undefined && (obj.workflowDescription = message.workflowDescription); - message.workflowPublic !== undefined && (obj.workflowPublic = message.workflowPublic); message.workflowRunRunnerType !== undefined && (obj.workflowRunRunnerType = craftingSchema_Runner_RunnerTypeToJSON(message.workflowRunRunnerType)); message.workflowRunLastStatus !== undefined && @@ -843,7 +783,6 @@ export const WorkflowServiceListRequest = { message.workflowTeam = object.workflowTeam ?? ""; message.projectNames = object.projectNames?.map((e) => e) || []; message.workflowDescription = object.workflowDescription ?? ""; - message.workflowPublic = object.workflowPublic ?? undefined; message.workflowRunRunnerType = object.workflowRunRunnerType ?? 0; message.workflowRunLastStatus = object.workflowRunLastStatus ?? 0; message.workflowLastActivityWindow = object.workflowLastActivityWindow ?? 0; diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json deleted file mode 100644 index c1e135f13..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method\n Deprecated: the public shared index is being retired.", - "properties": { - "digest": { - "description": "Digest is the unique identifier of the referrer to discover", - "minLength": 1, - "type": "string" - }, - "kind": { - "description": "Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ...\n Used to filter and resolve ambiguities", - "type": "string" - }, - "pagination": { - "$ref": "controlplane.v1.CursorPaginationRequest.jsonschema.json", - "description": "Pagination options for the references list" - } - }, - "title": "Discover Public Shared Request", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json deleted file mode 100644 index 498bb60b5..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedRequest.schema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method\n Deprecated: the public shared index is being retired.", - "properties": { - "digest": { - "description": "Digest is the unique identifier of the referrer to discover", - "minLength": 1, - "type": "string" - }, - "kind": { - "description": "Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ...\n Used to filter and resolve ambiguities", - "type": "string" - }, - "pagination": { - "$ref": "controlplane.v1.CursorPaginationRequest.schema.json", - "description": "Pagination options for the references list" - } - }, - "title": "Discover Public Shared Request", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json deleted file mode 100644 index ebb28c383..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method", - "properties": { - "pagination": { - "$ref": "controlplane.v1.CursorPaginationResponse.jsonschema.json", - "description": "Pagination information for the references list" - }, - "result": { - "$ref": "controlplane.v1.ReferrerItem.jsonschema.json", - "description": "Result is the discovered referrer item" - } - }, - "title": "Discover Public Shared Response", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.schema.json deleted file mode 100644 index 282690659..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.schema.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedResponse.schema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method", - "properties": { - "pagination": { - "$ref": "controlplane.v1.CursorPaginationResponse.schema.json", - "description": "Pagination information for the references list" - }, - "result": { - "$ref": "controlplane.v1.ReferrerItem.schema.json", - "description": "Result is the discovered referrer item" - } - }, - "title": "Discover Public Shared Response", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json index 41416b12f..ef56a5dbe 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json @@ -46,10 +46,6 @@ }, "type": "object" }, - "public": { - "description": "Public indicates whether the referrer is public since it belongs to a public workflow", - "type": "boolean" - }, "references": { "description": "References contains the list of related referrer items", "items": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json index 1d6242f66..c5aa6e231 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json @@ -46,10 +46,6 @@ }, "type": "object" }, - "public": { - "description": "Public indicates whether the referrer is public since it belongs to a public workflow", - "type": "boolean" - }, "references": { "description": "References contains the list of related referrer items", "items": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json index 767f1f716..4c82ec5c6 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json @@ -61,7 +61,7 @@ "type": "string" }, "public": { - "description": "A public workflow means that any user can\n - access to all its workflow runs\n - their attestation and materials", + "description": "Deprecated: public workflows were removed. This field is always false and\n is retained only for wire compatibility; it will be removed in a future release.", "type": "boolean" }, "runsCount": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json index 9a3fc8afa..da762dc32 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json @@ -61,7 +61,7 @@ "type": "string" }, "public": { - "description": "A public workflow means that any user can\n - access to all its workflow runs\n - their attestation and materials", + "description": "Deprecated: public workflows were removed. This field is always false and\n is retained only for wire compatibility; it will be removed in a future release.", "type": "boolean" }, "runs_count": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json index 3144eff12..ff3857f7a 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json @@ -37,9 +37,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json index b3af70bc0..31339fca7 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json @@ -37,9 +37,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json index 40da111f9..c8b43d021 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json @@ -45,10 +45,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "^(workflow_public)$": { - "description": "If the workflow is public", - "type": "boolean" - }, "^(workflow_run_last_status)$": { "anyOf": [ { @@ -149,10 +145,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "workflowPublic": { - "description": "If the workflow is public", - "type": "boolean" - }, "workflowRunLastStatus": { "anyOf": [ { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json index 5920fcfdd..25ca75d53 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json @@ -45,10 +45,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "^(workflowPublic)$": { - "description": "If the workflow is public", - "type": "boolean" - }, "^(workflowRunLastStatus)$": { "anyOf": [ { @@ -149,10 +145,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "workflow_public": { - "description": "If the workflow is public", - "type": "boolean" - }, "workflow_run_last_status": { "anyOf": [ { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json index 8f89d5ffa..d8ff039a8 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json @@ -27,9 +27,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json index 0a20e527a..bff0a14c1 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json @@ -27,9 +27,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/openapi/openapi.yaml b/app/controlplane/api/gen/openapi/openapi.yaml index 5a3e5a288..a5036f3b3 100644 --- a/app/controlplane/api/gen/openapi/openapi.yaml +++ b/app/controlplane/api/gen/openapi/openapi.yaml @@ -22,54 +22,6 @@ externalDocs: description: Chainloop Official Documentation url: https://docs.chainloop.dev paths: - /discover/shared/{digest}: - get: - description: Returns the referrer item for a given digest in the public shared index - operationId: ReferrerService_DiscoverPublicShared - parameters: - - description: Digest is the unique identifier of the referrer to discover - in: path - name: digest - required: true - schema: - type: string - - description: >- - Kind is the optional type of referrer, i.e CONTAINER_IMAGE, - GIT_HEAD, ... - - Used to filter and resolve ambiguities - in: query - name: kind - schema: - type: string - - in: query - name: pagination.cursor - schema: - type: string - - description: Limit pagination to 100 - in: query - name: pagination.limit - schema: - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/v1DiscoverPublicSharedResponse' - description: A successful response. - default: - content: - application/json: - schema: - $ref: '#/components/schemas/rpcStatus' - description: An unexpected error response. - summary: Discover public shared referrer - tags: - - ReferrerService - security: - - bearerToken: [] /discover/{digest}: get: description: >- @@ -284,38 +236,12 @@ components: next_cursor: type: string type: object - v1DiscoverPublicSharedResponse: - description: Response for the DiscoverPublicShared method - example: - result: - downloadable: true - metadata: - key: metadata - public: true - references: - - null - - null - kind: kind - digest: digest - created_at: '2000-01-23T04:56:07.000+00:00' - annotations: - key: annotations - pagination: - next_cursor: next_cursor - properties: - result: - $ref: '#/components/schemas/v1ReferrerItem' - pagination: - $ref: '#/components/schemas/v1CursorPaginationResponse' - title: DiscoverPublicSharedResponse - type: object v1ReferrerItem: description: It represents a referrer object in the system example: downloadable: true metadata: key: metadata - public: true references: - null - null @@ -336,11 +262,6 @@ components: Downloadable indicates whether the referrer is downloadable or not from CAS type: boolean - public: - title: >- - Public indicates whether the referrer is public since it belongs to - a public workflow - type: boolean references: items: $ref: '#/components/schemas/v1ReferrerItem' @@ -371,7 +292,6 @@ components: downloadable: true metadata: key: metadata - public: true references: - null - null diff --git a/app/controlplane/cmd/wire.go b/app/controlplane/cmd/wire.go index 5c0ef1180..ab5903af0 100644 --- a/app/controlplane/cmd/wire.go +++ b/app/controlplane/cmd/wire.go @@ -59,7 +59,7 @@ func wireApp(context.Context, *conf.Bootstrap, credentials.ReaderWriter, log.Log wire.Bind(new(biz.CASClient), new(*biz.CASClientUseCase)), serviceOpts, wire.Value([]biz.CASClientOpts{}), - wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer", "ReferrerSharedIndex", "Onboarding", "PrometheusIntegration", "PolicyProviders", "NatsServer", "FederatedAuthentication", "OperationAuthorizationProvider"), + wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer", "Onboarding", "PrometheusIntegration", "PolicyProviders", "NatsServer", "FederatedAuthentication", "OperationAuthorizationProvider"), wire.FieldsOf(new(*conf.Data), "Database"), dispatcher.New, authz.NewCasbinEnforcer, @@ -77,7 +77,6 @@ func wireApp(context.Context, *conf.Bootstrap, credentials.ReaderWriter, log.Log newJWTConfig, authzConfig, authzUseCaseConfig, - biz.NewIndexConfig, ), ) } diff --git a/app/controlplane/cmd/wire_gen.go b/app/controlplane/cmd/wire_gen.go index 13ff75105..350656274 100644 --- a/app/controlplane/cmd/wire_gen.go +++ b/app/controlplane/cmd/wire_gen.go @@ -125,15 +125,7 @@ func wireApp(contextContext context.Context, bootstrap *conf.Bootstrap, readerWr v2 := _wireValue casClientUseCase := biz.NewCASClientUseCase(casCredentialsUseCase, bootstrap_CASServer, logger, v2...) referrerRepo := data.NewReferrerRepo(dataData, workflowRepo, logger) - referrerSharedIndex := bootstrap.ReferrerSharedIndex - referrerSharedIndexConfig, err := biz.NewIndexConfig(referrerSharedIndex) - if err != nil { - cleanup3() - cleanup2() - cleanup() - return nil, nil, err - } - referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, referrerSharedIndexConfig, logger) + referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, logger) if err != nil { cleanup3() cleanup2() diff --git a/app/controlplane/configs/samples/config.yaml b/app/controlplane/configs/samples/config.yaml index 04c5f3f63..b7f7a9614 100644 --- a/app/controlplane/configs/samples/config.yaml +++ b/app/controlplane/configs/samples/config.yaml @@ -57,16 +57,6 @@ credentials_service: # client_secret: Service Principal Secret # vault_uri: https://myvault.vault.azure.net/ -# referrer shared index configuration. -# This is used to enable a shared index API endpoint that can be used to discover metadata referrers -# To populate the shared index you need to enable the feature and configure the allowed orgs -# The reason to have an org allowList is to avoid leaking metadata from other organizations -# and set the stage for a trusted publisher model -referrer_shared_index: - enabled: true - allowed_orgs: - - deadbeef - onboarding: - name: "read-only-demo" role: MEMBERSHIP_ROLE_ORG_VIEWER diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.go b/app/controlplane/internal/conf/controlplane/config/v1/conf.go deleted file mode 100644 index 8bdf8f416..000000000 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf.go +++ /dev/null @@ -1,41 +0,0 @@ -// -// Copyright 2023 The Chainloop Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package conf - -import ( - "errors" - "fmt" - - "github.com/google/uuid" -) - -func (c *ReferrerSharedIndex) ValidateOrgs() error { - if c == nil || !c.Enabled { - return nil - } - - if c.Enabled && len(c.AllowedOrgs) == 0 { - return errors.New("index is enabled, but no orgs are allowed") - } - - for _, orgID := range c.AllowedOrgs { - if _, err := uuid.Parse(orgID); err != nil { - return fmt.Errorf("invalid org id: %s", orgID) - } - } - - return nil -} diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go b/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go index e34afb9a3..aeccaa51e 100644 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go +++ b/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go @@ -52,8 +52,6 @@ type Bootstrap struct { // Plugins directory // NOTE: plugins have the form of chainloop-plugin- PluginsDir string `protobuf:"bytes,7,opt,name=plugins_dir,json=pluginsDir,proto3" json:"plugins_dir,omitempty"` - // Configuration about the shared referrer index - ReferrerSharedIndex *ReferrerSharedIndex `protobuf:"bytes,8,opt,name=referrer_shared_index,json=referrerSharedIndex,proto3" json:"referrer_shared_index,omitempty"` // The certificate authority used for keyless signing (deprecated, use certificate_authorities instead) // // Deprecated: Marked as deprecated in controlplane/config/v1/conf.proto. @@ -167,13 +165,6 @@ func (x *Bootstrap) GetPluginsDir() string { return "" } -func (x *Bootstrap) GetReferrerSharedIndex() *ReferrerSharedIndex { - if x != nil { - return x.ReferrerSharedIndex - } - return nil -} - // Deprecated: Marked as deprecated in controlplane/config/v1/conf.proto. func (x *Bootstrap) GetCertificateAuthority() *CA { if x != nil { @@ -507,64 +498,6 @@ func (x *PolicyProvider) GetUrl() string { return "" } -// Configuration used to enable a shared index API endpoint that can be used to discover metadata referrers -// To populate the shared index you need to enable the feature and configure the allowed orgs -// The reason to have an org allowList is to avoid leaking metadata from other organizations and set the stage for a trusted publisher model -type ReferrerSharedIndex struct { - state protoimpl.MessageState `protogen:"open.v1"` - // If the shared, public index feature is enabled - Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - // list of organizations uuids that are allowed to appear in the shared referrer index - // think of it as a list of trusted publishers - AllowedOrgs []string `protobuf:"bytes,2,rep,name=allowed_orgs,json=allowedOrgs,proto3" json:"allowed_orgs,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache -} - -func (x *ReferrerSharedIndex) Reset() { - *x = ReferrerSharedIndex{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *ReferrerSharedIndex) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ReferrerSharedIndex) ProtoMessage() {} - -func (x *ReferrerSharedIndex) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ReferrerSharedIndex.ProtoReflect.Descriptor instead. -func (*ReferrerSharedIndex) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5} -} - -func (x *ReferrerSharedIndex) GetEnabled() bool { - if x != nil { - return x.Enabled - } - return false -} - -func (x *ReferrerSharedIndex) GetAllowedOrgs() []string { - if x != nil { - return x.AllowedOrgs - } - return nil -} - type Server struct { state protoimpl.MessageState `protogen:"open.v1"` Http *Server_HTTP `protobuf:"bytes,1,opt,name=http,proto3" json:"http,omitempty"` @@ -577,7 +510,7 @@ type Server struct { func (x *Server) Reset() { *x = Server{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -589,7 +522,7 @@ func (x *Server) String() string { func (*Server) ProtoMessage() {} func (x *Server) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -602,7 +535,7 @@ func (x *Server) ProtoReflect() protoreflect.Message { // Deprecated: Use Server.ProtoReflect.Descriptor instead. func (*Server) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5} } func (x *Server) GetHttp() *Server_HTTP { @@ -635,7 +568,7 @@ type Data struct { func (x *Data) Reset() { *x = Data{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -647,7 +580,7 @@ func (x *Data) String() string { func (*Data) ProtoMessage() {} func (x *Data) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -660,7 +593,7 @@ func (x *Data) ProtoReflect() protoreflect.Message { // Deprecated: Use Data.ProtoReflect.Descriptor instead. func (*Data) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6} } func (x *Data) GetDatabase() *Data_Database { @@ -685,7 +618,7 @@ type Auth struct { func (x *Auth) Reset() { *x = Auth{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -697,7 +630,7 @@ func (x *Auth) String() string { func (*Auth) ProtoMessage() {} func (x *Auth) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -710,7 +643,7 @@ func (x *Auth) ProtoReflect() protoreflect.Message { // Deprecated: Use Auth.ProtoReflect.Descriptor instead. func (*Auth) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{8} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7} } func (x *Auth) GetGeneratedJwsHmacSecret() string { @@ -762,7 +695,7 @@ type TSA struct { func (x *TSA) Reset() { *x = TSA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -774,7 +707,7 @@ func (x *TSA) String() string { func (*TSA) ProtoMessage() {} func (x *TSA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -787,7 +720,7 @@ func (x *TSA) ProtoReflect() protoreflect.Message { // Deprecated: Use TSA.ProtoReflect.Descriptor instead. func (*TSA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{8} } func (x *TSA) GetUrl() string { @@ -828,7 +761,7 @@ type CA struct { func (x *CA) Reset() { *x = CA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -840,7 +773,7 @@ func (x *CA) String() string { func (*CA) ProtoMessage() {} func (x *CA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -853,7 +786,7 @@ func (x *CA) ProtoReflect() protoreflect.Message { // Deprecated: Use CA.ProtoReflect.Descriptor instead. func (*CA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9} } func (x *CA) GetCa() isCA_Ca { @@ -915,7 +848,7 @@ type PrometheusIntegrationSpec struct { func (x *PrometheusIntegrationSpec) Reset() { *x = PrometheusIntegrationSpec{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -927,7 +860,7 @@ func (x *PrometheusIntegrationSpec) String() string { func (*PrometheusIntegrationSpec) ProtoMessage() {} func (x *PrometheusIntegrationSpec) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -940,7 +873,7 @@ func (x *PrometheusIntegrationSpec) ProtoReflect() protoreflect.Message { // Deprecated: Use PrometheusIntegrationSpec.ProtoReflect.Descriptor instead. func (*PrometheusIntegrationSpec) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{11} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10} } func (x *PrometheusIntegrationSpec) GetOrgName() string { @@ -960,7 +893,7 @@ type Bootstrap_Observability struct { func (x *Bootstrap_Observability) Reset() { *x = Bootstrap_Observability{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -972,7 +905,7 @@ func (x *Bootstrap_Observability) String() string { func (*Bootstrap_Observability) ProtoMessage() {} func (x *Bootstrap_Observability) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1022,7 +955,7 @@ type Bootstrap_CASServer struct { func (x *Bootstrap_CASServer) Reset() { *x = Bootstrap_CASServer{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1034,7 +967,7 @@ func (x *Bootstrap_CASServer) String() string { func (*Bootstrap_CASServer) ProtoMessage() {} func (x *Bootstrap_CASServer) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1095,7 +1028,7 @@ type Bootstrap_NatsServer struct { func (x *Bootstrap_NatsServer) Reset() { *x = Bootstrap_NatsServer{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1107,7 +1040,7 @@ func (x *Bootstrap_NatsServer) String() string { func (*Bootstrap_NatsServer) ProtoMessage() {} func (x *Bootstrap_NatsServer) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1174,7 +1107,7 @@ type Bootstrap_Observability_Sentry struct { func (x *Bootstrap_Observability_Sentry) Reset() { *x = Bootstrap_Observability_Sentry{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1186,7 +1119,7 @@ func (x *Bootstrap_Observability_Sentry) String() string { func (*Bootstrap_Observability_Sentry) ProtoMessage() {} func (x *Bootstrap_Observability_Sentry) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1233,7 +1166,7 @@ type Bootstrap_Observability_Tracing struct { func (x *Bootstrap_Observability_Tracing) Reset() { *x = Bootstrap_Observability_Tracing{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1245,7 +1178,7 @@ func (x *Bootstrap_Observability_Tracing) String() string { func (*Bootstrap_Observability_Tracing) ProtoMessage() {} func (x *Bootstrap_Observability_Tracing) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1303,7 +1236,7 @@ type Server_HTTP struct { func (x *Server_HTTP) Reset() { *x = Server_HTTP{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1315,7 +1248,7 @@ func (x *Server_HTTP) String() string { func (*Server_HTTP) ProtoMessage() {} func (x *Server_HTTP) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1328,7 +1261,7 @@ func (x *Server_HTTP) ProtoReflect() protoreflect.Message { // Deprecated: Use Server_HTTP.ProtoReflect.Descriptor instead. func (*Server_HTTP) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5, 0} } func (x *Server_HTTP) GetNetwork() string { @@ -1370,7 +1303,7 @@ type Server_TLS struct { func (x *Server_TLS) Reset() { *x = Server_TLS{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1382,7 +1315,7 @@ func (x *Server_TLS) String() string { func (*Server_TLS) ProtoMessage() {} func (x *Server_TLS) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1395,7 +1328,7 @@ func (x *Server_TLS) ProtoReflect() protoreflect.Message { // Deprecated: Use Server_TLS.ProtoReflect.Descriptor instead. func (*Server_TLS) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 1} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5, 1} } func (x *Server_TLS) GetCertificate() string { @@ -1427,7 +1360,7 @@ type Server_GRPC struct { func (x *Server_GRPC) Reset() { *x = Server_GRPC{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1439,7 +1372,7 @@ func (x *Server_GRPC) String() string { func (*Server_GRPC) ProtoMessage() {} func (x *Server_GRPC) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1452,7 +1385,7 @@ func (x *Server_GRPC) ProtoReflect() protoreflect.Message { // Deprecated: Use Server_GRPC.ProtoReflect.Descriptor instead. func (*Server_GRPC) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 2} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5, 2} } func (x *Server_GRPC) GetNetwork() string { @@ -1506,7 +1439,7 @@ type Data_Database struct { func (x *Data_Database) Reset() { *x = Data_Database{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1518,7 +1451,7 @@ func (x *Data_Database) String() string { func (*Data_Database) ProtoMessage() {} func (x *Data_Database) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1531,7 +1464,7 @@ func (x *Data_Database) ProtoReflect() protoreflect.Message { // Deprecated: Use Data_Database.ProtoReflect.Descriptor instead. func (*Data_Database) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 0} } func (x *Data_Database) GetDriver() string { @@ -1583,7 +1516,7 @@ type Auth_OIDC struct { func (x *Auth_OIDC) Reset() { *x = Auth_OIDC{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1595,7 +1528,7 @@ func (x *Auth_OIDC) String() string { func (*Auth_OIDC) ProtoMessage() {} func (x *Auth_OIDC) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1608,7 +1541,7 @@ func (x *Auth_OIDC) ProtoReflect() protoreflect.Message { // Deprecated: Use Auth_OIDC.ProtoReflect.Descriptor instead. func (*Auth_OIDC) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{8, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7, 0} } func (x *Auth_OIDC) GetDomain() string { @@ -1650,7 +1583,7 @@ type CA_FileCA struct { func (x *CA_FileCA) Reset() { *x = CA_FileCA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1662,7 +1595,7 @@ func (x *CA_FileCA) String() string { func (*CA_FileCA) ProtoMessage() {} func (x *CA_FileCA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1675,7 +1608,7 @@ func (x *CA_FileCA) ProtoReflect() protoreflect.Message { // Deprecated: Use CA_FileCA.ProtoReflect.Descriptor instead. func (*CA_FileCA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9, 0} } func (x *CA_FileCA) GetCertPath() string { @@ -1716,7 +1649,7 @@ type CA_EJBCA struct { func (x *CA_EJBCA) Reset() { *x = CA_EJBCA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[23] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1728,7 +1661,7 @@ func (x *CA_EJBCA) String() string { func (*CA_EJBCA) ProtoMessage() {} func (x *CA_EJBCA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[23] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1741,7 +1674,7 @@ func (x *CA_EJBCA) ProtoReflect() protoreflect.Message { // Deprecated: Use CA_EJBCA.ProtoReflect.Descriptor instead. func (*CA_EJBCA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10, 1} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9, 1} } func (x *CA_EJBCA) GetServerUrl() string { @@ -1797,7 +1730,7 @@ var File_controlplane_config_v1_conf_proto protoreflect.FileDescriptor const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\n" + - "!controlplane/config/v1/conf.proto\x12\x16controlplane.config.v1\x1a\x1bbuf/validate/validate.proto\x1a#controlplane/config/v1/config.proto\x1a\x1bcredentials/v1/config.proto\x1a\x1egoogle/protobuf/duration.proto\"\xf5\x11\n" + + "!controlplane/config/v1/conf.proto\x12\x16controlplane.config.v1\x1a\x1bbuf/validate/validate.proto\x1a#controlplane/config/v1/config.proto\x1a\x1bcredentials/v1/config.proto\x1a\x1egoogle/protobuf/duration.proto\"\xb1\x11\n" + "\tBootstrap\x126\n" + "\x06server\x18\x01 \x01(\v2\x1e.controlplane.config.v1.ServerR\x06server\x120\n" + "\x04data\x18\x02 \x01(\v2\x1c.controlplane.config.v1.DataR\x04data\x120\n" + @@ -1807,8 +1740,7 @@ const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\n" + "cas_server\x18\x06 \x01(\v2+.controlplane.config.v1.Bootstrap.CASServerR\tcasServer\x12\x1f\n" + "\vplugins_dir\x18\a \x01(\tR\n" + - "pluginsDir\x12_\n" + - "\x15referrer_shared_index\x18\b \x01(\v2+.controlplane.config.v1.ReferrerSharedIndexR\x13referrerSharedIndex\x12S\n" + + "pluginsDir\x12S\n" + "\x15certificate_authority\x18\t \x01(\v2\x1a.controlplane.config.v1.CAB\x02\x18\x01R\x14certificateAuthority\x12S\n" + "\x17certificate_authorities\x18\x0f \x03(\v2\x1a.controlplane.config.v1.CAR\x16certificateAuthorities\x12P\n" + "\x15timestamp_authorities\x18\x11 \x03(\v2\x1b.controlplane.config.v1.TSAR\x14timestampAuthorities\x12F\n" + @@ -1848,7 +1780,7 @@ const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\x03uri\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x03uri\x12\x1f\n" + "\x05token\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01H\x00R\x05token\x12\x1a\n" + "\breplicas\x18\x03 \x01(\x05R\breplicasB\x10\n" + - "\x0eauthentication\"6\n" + + "\x0eauthenticationJ\x04\b\b\x10\tR\x15referrer_shared_index\"6\n" + "\fAttestations\x12&\n" + "\x0fskip_db_storage\x18\x01 \x01(\bR\rskipDbStorage\"v\n" + "\x1eOperationAuthorizationProvider\x12\x1a\n" + @@ -1865,10 +1797,7 @@ const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12\x18\n" + "\adefault\x18\x02 \x01(\bR\adefault\x12\x16\n" + "\x04host\x18\x03 \x01(\tB\x02\x18\x01R\x04host\x12\x10\n" + - "\x03url\x18\x04 \x01(\tR\x03url\"R\n" + - "\x13ReferrerSharedIndex\x12\x18\n" + - "\aenabled\x18\x01 \x01(\bR\aenabled\x12!\n" + - "\fallowed_orgs\x18\x02 \x03(\tR\vallowedOrgs\"\xfe\x04\n" + + "\x03url\x18\x04 \x01(\tR\x03url\"\xfe\x04\n" + "\x06Server\x127\n" + "\x04http\x18\x01 \x01(\v2#.controlplane.config.v1.Server.HTTPR\x04http\x127\n" + "\x04grpc\x18\x02 \x01(\v2#.controlplane.config.v1.Server.GRPCR\x04grpc\x12F\n" + @@ -1947,75 +1876,73 @@ func file_controlplane_config_v1_conf_proto_rawDescGZIP() []byte { return file_controlplane_config_v1_conf_proto_rawDescData } -var file_controlplane_config_v1_conf_proto_msgTypes = make([]protoimpl.MessageInfo, 24) +var file_controlplane_config_v1_conf_proto_msgTypes = make([]protoimpl.MessageInfo, 23) var file_controlplane_config_v1_conf_proto_goTypes = []any{ (*Bootstrap)(nil), // 0: controlplane.config.v1.Bootstrap (*Attestations)(nil), // 1: controlplane.config.v1.Attestations (*OperationAuthorizationProvider)(nil), // 2: controlplane.config.v1.OperationAuthorizationProvider (*FederatedAuthentication)(nil), // 3: controlplane.config.v1.FederatedAuthentication (*PolicyProvider)(nil), // 4: controlplane.config.v1.PolicyProvider - (*ReferrerSharedIndex)(nil), // 5: controlplane.config.v1.ReferrerSharedIndex - (*Server)(nil), // 6: controlplane.config.v1.Server - (*Data)(nil), // 7: controlplane.config.v1.Data - (*Auth)(nil), // 8: controlplane.config.v1.Auth - (*TSA)(nil), // 9: controlplane.config.v1.TSA - (*CA)(nil), // 10: controlplane.config.v1.CA - (*PrometheusIntegrationSpec)(nil), // 11: controlplane.config.v1.PrometheusIntegrationSpec - (*Bootstrap_Observability)(nil), // 12: controlplane.config.v1.Bootstrap.Observability - (*Bootstrap_CASServer)(nil), // 13: controlplane.config.v1.Bootstrap.CASServer - (*Bootstrap_NatsServer)(nil), // 14: controlplane.config.v1.Bootstrap.NatsServer - (*Bootstrap_Observability_Sentry)(nil), // 15: controlplane.config.v1.Bootstrap.Observability.Sentry - (*Bootstrap_Observability_Tracing)(nil), // 16: controlplane.config.v1.Bootstrap.Observability.Tracing - (*Server_HTTP)(nil), // 17: controlplane.config.v1.Server.HTTP - (*Server_TLS)(nil), // 18: controlplane.config.v1.Server.TLS - (*Server_GRPC)(nil), // 19: controlplane.config.v1.Server.GRPC - (*Data_Database)(nil), // 20: controlplane.config.v1.Data.Database - (*Auth_OIDC)(nil), // 21: controlplane.config.v1.Auth.OIDC - (*CA_FileCA)(nil), // 22: controlplane.config.v1.CA.FileCA - (*CA_EJBCA)(nil), // 23: controlplane.config.v1.CA.EJBCA - (*v1.Credentials)(nil), // 24: credentials.v1.Credentials - (*v11.OnboardingSpec)(nil), // 25: controlplane.config.v1.OnboardingSpec - (*v11.AllowList)(nil), // 26: controlplane.config.v1.AllowList - (*durationpb.Duration)(nil), // 27: google.protobuf.Duration + (*Server)(nil), // 5: controlplane.config.v1.Server + (*Data)(nil), // 6: controlplane.config.v1.Data + (*Auth)(nil), // 7: controlplane.config.v1.Auth + (*TSA)(nil), // 8: controlplane.config.v1.TSA + (*CA)(nil), // 9: controlplane.config.v1.CA + (*PrometheusIntegrationSpec)(nil), // 10: controlplane.config.v1.PrometheusIntegrationSpec + (*Bootstrap_Observability)(nil), // 11: controlplane.config.v1.Bootstrap.Observability + (*Bootstrap_CASServer)(nil), // 12: controlplane.config.v1.Bootstrap.CASServer + (*Bootstrap_NatsServer)(nil), // 13: controlplane.config.v1.Bootstrap.NatsServer + (*Bootstrap_Observability_Sentry)(nil), // 14: controlplane.config.v1.Bootstrap.Observability.Sentry + (*Bootstrap_Observability_Tracing)(nil), // 15: controlplane.config.v1.Bootstrap.Observability.Tracing + (*Server_HTTP)(nil), // 16: controlplane.config.v1.Server.HTTP + (*Server_TLS)(nil), // 17: controlplane.config.v1.Server.TLS + (*Server_GRPC)(nil), // 18: controlplane.config.v1.Server.GRPC + (*Data_Database)(nil), // 19: controlplane.config.v1.Data.Database + (*Auth_OIDC)(nil), // 20: controlplane.config.v1.Auth.OIDC + (*CA_FileCA)(nil), // 21: controlplane.config.v1.CA.FileCA + (*CA_EJBCA)(nil), // 22: controlplane.config.v1.CA.EJBCA + (*v1.Credentials)(nil), // 23: credentials.v1.Credentials + (*v11.OnboardingSpec)(nil), // 24: controlplane.config.v1.OnboardingSpec + (*v11.AllowList)(nil), // 25: controlplane.config.v1.AllowList + (*durationpb.Duration)(nil), // 26: google.protobuf.Duration } var file_controlplane_config_v1_conf_proto_depIdxs = []int32{ - 6, // 0: controlplane.config.v1.Bootstrap.server:type_name -> controlplane.config.v1.Server - 7, // 1: controlplane.config.v1.Bootstrap.data:type_name -> controlplane.config.v1.Data - 8, // 2: controlplane.config.v1.Bootstrap.auth:type_name -> controlplane.config.v1.Auth - 12, // 3: controlplane.config.v1.Bootstrap.observability:type_name -> controlplane.config.v1.Bootstrap.Observability - 24, // 4: controlplane.config.v1.Bootstrap.credentials_service:type_name -> credentials.v1.Credentials - 13, // 5: controlplane.config.v1.Bootstrap.cas_server:type_name -> controlplane.config.v1.Bootstrap.CASServer - 5, // 6: controlplane.config.v1.Bootstrap.referrer_shared_index:type_name -> controlplane.config.v1.ReferrerSharedIndex - 10, // 7: controlplane.config.v1.Bootstrap.certificate_authority:type_name -> controlplane.config.v1.CA - 10, // 8: controlplane.config.v1.Bootstrap.certificate_authorities:type_name -> controlplane.config.v1.CA - 9, // 9: controlplane.config.v1.Bootstrap.timestamp_authorities:type_name -> controlplane.config.v1.TSA - 25, // 10: controlplane.config.v1.Bootstrap.onboarding:type_name -> controlplane.config.v1.OnboardingSpec - 11, // 11: controlplane.config.v1.Bootstrap.prometheus_integration:type_name -> controlplane.config.v1.PrometheusIntegrationSpec - 4, // 12: controlplane.config.v1.Bootstrap.policy_providers:type_name -> controlplane.config.v1.PolicyProvider - 14, // 13: controlplane.config.v1.Bootstrap.nats_server:type_name -> controlplane.config.v1.Bootstrap.NatsServer - 3, // 14: controlplane.config.v1.Bootstrap.federated_authentication:type_name -> controlplane.config.v1.FederatedAuthentication - 2, // 15: controlplane.config.v1.Bootstrap.operation_authorization_provider:type_name -> controlplane.config.v1.OperationAuthorizationProvider - 1, // 16: controlplane.config.v1.Bootstrap.attestations:type_name -> controlplane.config.v1.Attestations - 17, // 17: controlplane.config.v1.Server.http:type_name -> controlplane.config.v1.Server.HTTP - 19, // 18: controlplane.config.v1.Server.grpc:type_name -> controlplane.config.v1.Server.GRPC - 17, // 19: controlplane.config.v1.Server.http_metrics:type_name -> controlplane.config.v1.Server.HTTP - 20, // 20: controlplane.config.v1.Data.database:type_name -> controlplane.config.v1.Data.Database - 26, // 21: controlplane.config.v1.Auth.allow_list:type_name -> controlplane.config.v1.AllowList - 21, // 22: controlplane.config.v1.Auth.oidc:type_name -> controlplane.config.v1.Auth.OIDC - 22, // 23: controlplane.config.v1.CA.file_ca:type_name -> controlplane.config.v1.CA.FileCA - 23, // 24: controlplane.config.v1.CA.ejbca_ca:type_name -> controlplane.config.v1.CA.EJBCA - 15, // 25: controlplane.config.v1.Bootstrap.Observability.sentry:type_name -> controlplane.config.v1.Bootstrap.Observability.Sentry - 16, // 26: controlplane.config.v1.Bootstrap.Observability.tracing:type_name -> controlplane.config.v1.Bootstrap.Observability.Tracing - 19, // 27: controlplane.config.v1.Bootstrap.CASServer.grpc:type_name -> controlplane.config.v1.Server.GRPC - 27, // 28: controlplane.config.v1.Server.HTTP.timeout:type_name -> google.protobuf.Duration - 27, // 29: controlplane.config.v1.Server.GRPC.timeout:type_name -> google.protobuf.Duration - 18, // 30: controlplane.config.v1.Server.GRPC.tls_config:type_name -> controlplane.config.v1.Server.TLS - 27, // 31: controlplane.config.v1.Data.Database.max_conn_idle_time:type_name -> google.protobuf.Duration - 32, // [32:32] is the sub-list for method output_type - 32, // [32:32] is the sub-list for method input_type - 32, // [32:32] is the sub-list for extension type_name - 32, // [32:32] is the sub-list for extension extendee - 0, // [0:32] is the sub-list for field type_name + 5, // 0: controlplane.config.v1.Bootstrap.server:type_name -> controlplane.config.v1.Server + 6, // 1: controlplane.config.v1.Bootstrap.data:type_name -> controlplane.config.v1.Data + 7, // 2: controlplane.config.v1.Bootstrap.auth:type_name -> controlplane.config.v1.Auth + 11, // 3: controlplane.config.v1.Bootstrap.observability:type_name -> controlplane.config.v1.Bootstrap.Observability + 23, // 4: controlplane.config.v1.Bootstrap.credentials_service:type_name -> credentials.v1.Credentials + 12, // 5: controlplane.config.v1.Bootstrap.cas_server:type_name -> controlplane.config.v1.Bootstrap.CASServer + 9, // 6: controlplane.config.v1.Bootstrap.certificate_authority:type_name -> controlplane.config.v1.CA + 9, // 7: controlplane.config.v1.Bootstrap.certificate_authorities:type_name -> controlplane.config.v1.CA + 8, // 8: controlplane.config.v1.Bootstrap.timestamp_authorities:type_name -> controlplane.config.v1.TSA + 24, // 9: controlplane.config.v1.Bootstrap.onboarding:type_name -> controlplane.config.v1.OnboardingSpec + 10, // 10: controlplane.config.v1.Bootstrap.prometheus_integration:type_name -> controlplane.config.v1.PrometheusIntegrationSpec + 4, // 11: controlplane.config.v1.Bootstrap.policy_providers:type_name -> controlplane.config.v1.PolicyProvider + 13, // 12: controlplane.config.v1.Bootstrap.nats_server:type_name -> controlplane.config.v1.Bootstrap.NatsServer + 3, // 13: controlplane.config.v1.Bootstrap.federated_authentication:type_name -> controlplane.config.v1.FederatedAuthentication + 2, // 14: controlplane.config.v1.Bootstrap.operation_authorization_provider:type_name -> controlplane.config.v1.OperationAuthorizationProvider + 1, // 15: controlplane.config.v1.Bootstrap.attestations:type_name -> controlplane.config.v1.Attestations + 16, // 16: controlplane.config.v1.Server.http:type_name -> controlplane.config.v1.Server.HTTP + 18, // 17: controlplane.config.v1.Server.grpc:type_name -> controlplane.config.v1.Server.GRPC + 16, // 18: controlplane.config.v1.Server.http_metrics:type_name -> controlplane.config.v1.Server.HTTP + 19, // 19: controlplane.config.v1.Data.database:type_name -> controlplane.config.v1.Data.Database + 25, // 20: controlplane.config.v1.Auth.allow_list:type_name -> controlplane.config.v1.AllowList + 20, // 21: controlplane.config.v1.Auth.oidc:type_name -> controlplane.config.v1.Auth.OIDC + 21, // 22: controlplane.config.v1.CA.file_ca:type_name -> controlplane.config.v1.CA.FileCA + 22, // 23: controlplane.config.v1.CA.ejbca_ca:type_name -> controlplane.config.v1.CA.EJBCA + 14, // 24: controlplane.config.v1.Bootstrap.Observability.sentry:type_name -> controlplane.config.v1.Bootstrap.Observability.Sentry + 15, // 25: controlplane.config.v1.Bootstrap.Observability.tracing:type_name -> controlplane.config.v1.Bootstrap.Observability.Tracing + 18, // 26: controlplane.config.v1.Bootstrap.CASServer.grpc:type_name -> controlplane.config.v1.Server.GRPC + 26, // 27: controlplane.config.v1.Server.HTTP.timeout:type_name -> google.protobuf.Duration + 26, // 28: controlplane.config.v1.Server.GRPC.timeout:type_name -> google.protobuf.Duration + 17, // 29: controlplane.config.v1.Server.GRPC.tls_config:type_name -> controlplane.config.v1.Server.TLS + 26, // 30: controlplane.config.v1.Data.Database.max_conn_idle_time:type_name -> google.protobuf.Duration + 31, // [31:31] is the sub-list for method output_type + 31, // [31:31] is the sub-list for method input_type + 31, // [31:31] is the sub-list for extension type_name + 31, // [31:31] is the sub-list for extension extendee + 0, // [0:31] is the sub-list for field type_name } func init() { file_controlplane_config_v1_conf_proto_init() } @@ -2023,21 +1950,21 @@ func file_controlplane_config_v1_conf_proto_init() { if File_controlplane_config_v1_conf_proto != nil { return } - file_controlplane_config_v1_conf_proto_msgTypes[10].OneofWrappers = []any{ + file_controlplane_config_v1_conf_proto_msgTypes[9].OneofWrappers = []any{ (*CA_FileCa)(nil), (*CA_EjbcaCa)(nil), } - file_controlplane_config_v1_conf_proto_msgTypes[14].OneofWrappers = []any{ + file_controlplane_config_v1_conf_proto_msgTypes[13].OneofWrappers = []any{ (*Bootstrap_NatsServer_Token)(nil), } - file_controlplane_config_v1_conf_proto_msgTypes[16].OneofWrappers = []any{} + file_controlplane_config_v1_conf_proto_msgTypes[15].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_controlplane_config_v1_conf_proto_rawDesc), len(file_controlplane_config_v1_conf_proto_rawDesc)), NumEnums: 0, - NumMessages: 24, + NumMessages: 23, NumExtensions: 0, NumServices: 0, }, diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.proto b/app/controlplane/internal/conf/controlplane/config/v1/conf.proto index 0442ab0e4..1a04c8881 100644 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf.proto +++ b/app/controlplane/internal/conf/controlplane/config/v1/conf.proto @@ -35,8 +35,8 @@ message Bootstrap { // Plugins directory // NOTE: plugins have the form of chainloop-plugin- string plugins_dir = 7; - // Configuration about the shared referrer index - ReferrerSharedIndex referrer_shared_index = 8; + reserved 8; + reserved "referrer_shared_index"; // The certificate authority used for keyless signing (deprecated, use certificate_authorities instead) CA certificate_authority = 9 [deprecated = true]; @@ -170,17 +170,6 @@ message PolicyProvider { string url = 4; // Note. Validations not applied not to break compatibility with current deployments } -// Configuration used to enable a shared index API endpoint that can be used to discover metadata referrers -// To populate the shared index you need to enable the feature and configure the allowed orgs -// The reason to have an org allowList is to avoid leaking metadata from other organizations and set the stage for a trusted publisher model -message ReferrerSharedIndex { - // If the shared, public index feature is enabled - bool enabled = 1; - // list of organizations uuids that are allowed to appear in the shared referrer index - // think of it as a list of trusted publishers - repeated string allowed_orgs = 2; -} - message Server { message HTTP { string network = 1; diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf_test.go b/app/controlplane/internal/conf/controlplane/config/v1/conf_test.go deleted file mode 100644 index 3f6d14478..000000000 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf_test.go +++ /dev/null @@ -1,75 +0,0 @@ -// -// Copyright 2023 The Chainloop Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package conf - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestValidateOrgs(t *testing.T) { - testCases := []struct { - name string - index *ReferrerSharedIndex - wantErrMsg string - }{ - { - name: "nil configuration", - index: nil, - }, - { - name: "enabled but without orgs", - index: &ReferrerSharedIndex{ - Enabled: true, - }, - wantErrMsg: "index is enabled, but no orgs are allowed", - }, - { - name: "enabled with invalid orgs", - index: &ReferrerSharedIndex{ - Enabled: true, - AllowedOrgs: []string{"invalid"}, - }, - wantErrMsg: "invalid org id: invalid", - }, - { - name: "with invalid orgs but disabled", - index: &ReferrerSharedIndex{ - Enabled: false, - AllowedOrgs: []string{"invalid"}, - }, - }, - { - name: "enabled with valid orgs", - index: &ReferrerSharedIndex{ - Enabled: true, - AllowedOrgs: []string{"00000000-0000-0000-0000-000000000000"}, - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - err := tc.index.ValidateOrgs() - if tc.wantErrMsg != "" { - assert.EqualError(t, err, tc.wantErrMsg) - } else { - assert.NoError(t, err) - } - }) - } -} diff --git a/app/controlplane/internal/dispatcher/dispatcher.go b/app/controlplane/internal/dispatcher/dispatcher.go index 925af4f41..07d3b5872 100644 --- a/app/controlplane/internal/dispatcher/dispatcher.go +++ b/app/controlplane/internal/dispatcher/dispatcher.go @@ -115,7 +115,7 @@ func (d *FanOutDispatcher) Run(ctx context.Context, opts *RunOpts) error { return fmt.Errorf("workflow not found") } - wfRun, err := d.wfRunUC.GetByIDInOrgOrPublic(ctx, opts.OrgID, opts.WorkflowRunID) + wfRun, err := d.wfRunUC.GetByIDInOrg(ctx, opts.OrgID, opts.WorkflowRunID) if err != nil { return fmt.Errorf("finding workflow: %w", err) } else if wfRun == nil { diff --git a/app/controlplane/internal/server/grpc.go b/app/controlplane/internal/server/grpc.go index f46a4d8f2..38711d932 100644 --- a/app/controlplane/internal/server/grpc.go +++ b/app/controlplane/internal/server/grpc.go @@ -102,7 +102,7 @@ type Opts struct { } var ( - currentUserSkipRegexp = regexp.MustCompile("(controlplane.v1.AttestationService/.*|controlplane.v1.StatusService/.*|controlplane.v1.ReferrerService/DiscoverPublicShared|controlplane.v1.AttestationStateService|controlplane.v1.SigningService)") + currentUserSkipRegexp = regexp.MustCompile("(controlplane.v1.AttestationService/.*|controlplane.v1.StatusService/.*|controlplane.v1.AttestationStateService|controlplane.v1.SigningService)") fullyConfiguredOrgSkipRegexp = regexp.MustCompile("controlplane.v1.OCIRepositoryService/.*|controlplane.v1.ContextService/Current|/controlplane.v1.OrganizationService/.*|/controlplane.v1.AuthService/DeleteAccount|controlplane.v1.CASBackendService/.*|/controlplane.v1.UserService/.*|controlplane.v1.SigningService/.*") fullyConfiguredCASBackendRequireRegexp = regexp.MustCompile("/controlplane.v1.AttestationService.GetUploadCreds|/controlplane.v1.AttestationService.Init|/controlplane.v1.AttestationService.Store|/controlplane.v1.CASCredentialsService.Get") allowListSkipRegexp = regexp.MustCompile("controlplane.v1.ContextService/Current|/controlplane.v1.AuthService/DeleteAccount") diff --git a/app/controlplane/internal/service/attestation.go b/app/controlplane/internal/service/attestation.go index bfeed5266..d42148509 100644 --- a/app/controlplane/internal/service/attestation.go +++ b/app/controlplane/internal/service/attestation.go @@ -263,7 +263,7 @@ func (s *AttestationService) Store(ctx context.Context, req *cpAPI.AttestationSe return nil, err } - wRun, err := s.wrUseCase.GetByIDInOrgOrPublic(ctx, robotAccount.OrgID, req.WorkflowRunId) + wRun, err := s.wrUseCase.GetByIDInOrg(ctx, robotAccount.OrgID, req.WorkflowRunId) if err != nil { return nil, handleUseCaseErr(err, s.log) } else if wRun == nil { @@ -441,7 +441,7 @@ func (s *AttestationService) Cancel(ctx context.Context, req *cpAPI.AttestationS return nil, err } - wRun, err := s.wrUseCase.GetByIDInOrgOrPublic(ctx, robotAccount.OrgID, req.WorkflowRunId) + wRun, err := s.wrUseCase.GetByIDInOrg(ctx, robotAccount.OrgID, req.WorkflowRunId) if err != nil { return nil, handleUseCaseErr(err, s.log) } else if wRun == nil { @@ -465,7 +465,7 @@ func (s *AttestationService) GetUploadCreds(ctx context.Context, req *cpAPI.Atte // Find the CAS backend associated with this workflowRun, that's the one that will be used to upload the materials // NOTE: currently we only support one backend per workflowRun but this will change in the future // This is the new mode, where the CAS backend ref is stored in the workflow run since initialization - wRun, err := s.wrUseCase.GetByIDInOrgOrPublic(ctx, robotAccount.OrgID, req.WorkflowRunId) + wRun, err := s.wrUseCase.GetByIDInOrg(ctx, robotAccount.OrgID, req.WorkflowRunId) if err != nil { return nil, handleUseCaseErr(err, s.log) } else if wRun == nil { diff --git a/app/controlplane/internal/service/referrer.go b/app/controlplane/internal/service/referrer.go index 9275d33c7..883aca7db 100644 --- a/app/controlplane/internal/service/referrer.go +++ b/app/controlplane/internal/service/referrer.go @@ -96,26 +96,6 @@ func (s *ReferrerService) DiscoverPrivate(ctx context.Context, req *pb.ReferrerS }, nil } -// DiscoverPublicShared implements the deprecated public shared index RPC, kept for backwards compatibility. -// -//nolint:staticcheck // the RPC is deprecated but still served -func (s *ReferrerService) DiscoverPublicShared(ctx context.Context, req *pb.DiscoverPublicSharedRequest) (*pb.DiscoverPublicSharedResponse, error) { - paginationOpts, err := referrerPaginationOptsFromProto(req.GetPagination()) - if err != nil { - return nil, err - } - - res, nextCursor, err := s.referrerUC.GetFromRootInPublicSharedIndex(ctx, req.GetDigest(), req.GetKind(), paginationOpts) - if err != nil { - return nil, handleUseCaseErr(err, s.log) - } - - return &pb.DiscoverPublicSharedResponse{ - Result: bizReferrerToPb(res), - Pagination: bizCursorToPb(nextCursor), - }, nil -} - // defaultReferrerPageSize is the page size applied when a referrer Discover* request // arrives without pagination. It deliberately overrides the package-wide // pagination.DefaultCursorLimit (10) because referrer responses render nested references @@ -144,7 +124,6 @@ func bizReferrerToPb(r *biz.StoredReferrer) *pb.ReferrerItem { item := &pb.ReferrerItem{ Digest: r.Digest, Downloadable: r.Downloadable, - Public: r.InPublicWorkflow, Kind: r.Kind, CreatedAt: timestamppb.New(*r.CreatedAt), Metadata: r.Metadata, diff --git a/app/controlplane/internal/service/workflow.go b/app/controlplane/internal/service/workflow.go index fd99d597d..808b8637c 100644 --- a/app/controlplane/internal/service/workflow.go +++ b/app/controlplane/internal/service/workflow.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -88,7 +88,6 @@ func (s *WorkflowService) Create(ctx context.Context, req *pb.WorkflowServiceCre ContractName: req.GetContractName(), ContractBytes: req.GetContractBytes(), Description: req.GetDescription(), - Public: req.GetPublic(), OrgRestrictContractCreationToAdmins: org.RestrictContractCreationToOrgAdmins, } @@ -143,7 +142,6 @@ func (s *WorkflowService) Update(ctx context.Context, req *pb.WorkflowServiceUpd updateOpts := &biz.WorkflowUpdateOpts{ Team: req.Team, - Public: req.Public, Description: req.Description, ContractID: contractID, } @@ -200,12 +198,6 @@ func (s *WorkflowService) List(ctx context.Context, req *pb.WorkflowServiceListR filters.WorkflowProjectNames = req.GetProjectNames() } - // Workflow visibility - if req.WorkflowPublic != nil { - val := req.GetWorkflowPublic() - filters.WorkflowPublic = &val - } - // Workflow Run Runner Type if req.GetWorkflowRunRunnerType() != schema.CraftingSchema_Runner_RUNNER_TYPE_UNSPECIFIED { filters.WorkflowRunRunnerType = req.GetWorkflowRunRunnerType().String() @@ -302,7 +294,7 @@ func (s *WorkflowService) View(ctx context.Context, req *pb.WorkflowServiceViewR func bizWorkflowToPb(wf *biz.Workflow) *pb.WorkflowItem { item := &pb.WorkflowItem{ Id: wf.ID.String(), Name: wf.Name, CreatedAt: timestamppb.New(*wf.CreatedAt), - Project: wf.Project, Team: wf.Team, RunsCount: int32(wf.RunsCounter), Public: wf.Public, + Project: wf.Project, Team: wf.Team, RunsCount: int32(wf.RunsCounter), Description: wf.Description, ContractRevisionLatest: int32(wf.ContractRevisionLatest), ContractName: wf.ContractName, ProjectId: wf.ProjectID.String(), diff --git a/app/controlplane/internal/service/workflowrun.go b/app/controlplane/internal/service/workflowrun.go index 1f9bf174b..973722218 100644 --- a/app/controlplane/internal/service/workflowrun.go +++ b/app/controlplane/internal/service/workflowrun.go @@ -254,12 +254,12 @@ func (s *WorkflowRunService) View(ctx context.Context, req *pb.WorkflowRunServic var run *biz.WorkflowRun switch { case req.GetId() != "": - run, err = s.wrUseCase.GetByIDInOrgOrPublic(ctx, currentOrg.ID, req.GetId()) + run, err = s.wrUseCase.GetByIDInOrg(ctx, currentOrg.ID, req.GetId()) if err != nil { return nil, handleUseCaseErr(err, s.log) } case req.GetDigest() != "": - run, err = s.wrUseCase.GetByDigestInOrgOrPublic(ctx, currentOrg.ID, req.GetDigest()) + run, err = s.wrUseCase.GetByDigestInOrg(ctx, currentOrg.ID, req.GetDigest()) if err != nil { return nil, handleUseCaseErr(err, s.log) } @@ -267,11 +267,9 @@ func (s *WorkflowRunService) View(ctx context.Context, req *pb.WorkflowRunServic return nil, errors.BadRequest("invalid", "id or digest required") } - // Apply RBAC only if workflow is not public - if !run.Workflow.Public { - if err = s.authorizeResource(ctx, authz.PolicyWorkflowRunRead, authz.ResourceTypeProject, run.Workflow.ProjectID); err != nil { - return nil, err - } + // Enforce project-scoped RBAC on the workflow run + if err = s.authorizeResource(ctx, authz.PolicyWorkflowRunRead, authz.ResourceTypeProject, run.Workflow.ProjectID); err != nil { + return nil, err } var verificationResult *pb.WorkflowRunServiceViewResponse_VerificationResult diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json index 8552d1535..06cedfd94 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json @@ -13,8 +13,7 @@ "workflow_name": "test-contract", "project_name": "test-project", "new_description": "test description", - "new_team": "test-team", - "new_public": true + "new_team": "test-team" }, - "Digest": "sha256:96de55711fafc04c5f2e7a0b6d6a40df835bde6c9dbe148b00f565b3915c2229" + "Digest": "sha256:b7804ee0d41dae80a6bdf51d265213641e31f95eeb1041314ec54dfe108460d7" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json index 5c14d7fb6..e4e660316 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json @@ -13,8 +13,7 @@ "workflow_name": "test-contract", "project_name": "test-project", "new_description": "test description", - "new_team": "test-team", - "new_public": true + "new_team": "test-team" }, - "Digest": "sha256:fc33dee1b1a043d847a6c4c0d945f75d18508675569f43915a7149e9e756ad65" + "Digest": "sha256:8e7e749962224439f25efce9428336f94f2b77b384bfe5f0885208a0d203da94" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json index a1cdaad29..43c0c5a3a 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json @@ -14,9 +14,8 @@ "project_name": "test-project", "new_description": "test description", "new_team": "test-team", - "new_public": true, "new_workflow_contract_id": "1089bb36-e27b-428b-8009-d015c8737c54", "new_workflow_contract_name": "test-contract" }, - "Digest": "sha256:9e28ae18fa9d44faa4a6d072f928bd9b70bda9aded9abdcedc776819f4e638e7" + "Digest": "sha256:30cbab2d2e989f8026610e0e81c4b2602f4f68c2cb440a8bd40ef54a84f75883" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json index 5d70976d0..46777e0cd 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json @@ -14,9 +14,8 @@ "project_name": "test-project", "new_description": "test description", "new_team": "test-team", - "new_public": true, "new_workflow_contract_id": "1089bb36-e27b-428b-8009-d015c8737c54", "new_workflow_contract_name": "test-contract" }, - "Digest": "sha256:9e28ae18fa9d44faa4a6d072f928bd9b70bda9aded9abdcedc776819f4e638e7" + "Digest": "sha256:30cbab2d2e989f8026610e0e81c4b2602f4f68c2cb440a8bd40ef54a84f75883" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/workflow.go b/app/controlplane/pkg/auditor/events/workflow.go index 2971c6d34..e335560e3 100644 --- a/app/controlplane/pkg/auditor/events/workflow.go +++ b/app/controlplane/pkg/auditor/events/workflow.go @@ -1,5 +1,5 @@ // -// Copyright 2025 The Chainloop Authors. +// Copyright 2025-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -69,7 +69,6 @@ type WorkflowCreated struct { WorkflowContractName string `json:"workflow_contract_name,omitempty"` WorkflowDescription *string `json:"description,omitempty"` Team *string `json:"team,omitempty"` - Public bool `json:"public,omitempty"` } func (w *WorkflowCreated) TargetID() *uuid.UUID { @@ -99,7 +98,6 @@ type WorkflowUpdated struct { *WorkflowBase NewDescription *string `json:"new_description,omitempty"` NewTeam *string `json:"new_team,omitempty"` - NewPublic *bool `json:"new_public,omitempty"` NewWorkflowContractID *uuid.UUID `json:"new_workflow_contract_id,omitempty"` NewWorkflowContractName *string `json:"new_workflow_contract_name,omitempty"` } diff --git a/app/controlplane/pkg/auditor/events/workflow_test.go b/app/controlplane/pkg/auditor/events/workflow_test.go index e45da3ce1..45ad8c246 100644 --- a/app/controlplane/pkg/auditor/events/workflow_test.go +++ b/app/controlplane/pkg/auditor/events/workflow_test.go @@ -1,5 +1,5 @@ // -// Copyright 2025 The Chainloop Authors. +// Copyright 2025-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -65,7 +65,6 @@ func TestWorkflowEvents(t *testing.T) { WorkflowContractName: wfContractName, WorkflowDescription: &wfDescription, Team: &newTeam, - Public: false, }, expected: "testdata/workflows/workflow_created.json", actor: auditor.ActorTypeUser, @@ -83,7 +82,6 @@ func TestWorkflowEvents(t *testing.T) { WorkflowContractName: wfContractName, WorkflowDescription: &wfDescription, Team: &newTeam, - Public: false, }, expected: "testdata/workflows/workflow_created_by_api_token.json", actor: auditor.ActorTypeAPIToken, @@ -99,7 +97,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), }, expected: "testdata/workflows/workflow_updated.json", actor: auditor.ActorTypeUser, @@ -115,7 +112,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), }, expected: "testdata/workflows/workflow_updated_by_api_token.json", actor: auditor.ActorTypeAPIToken, @@ -131,7 +127,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), NewWorkflowContractID: &wfContractUUID, NewWorkflowContractName: &wfContractName, }, @@ -149,7 +144,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), NewWorkflowContractID: &wfContractUUID, NewWorkflowContractName: &wfContractName, }, @@ -220,7 +214,3 @@ func TestWorkflowEvents(t *testing.T) { }) } } - -func boolPtr(b bool) *bool { - return &b -} diff --git a/app/controlplane/pkg/authz/authz_consistency_test.go b/app/controlplane/pkg/authz/authz_consistency_test.go index 437126256..1be3b6062 100644 --- a/app/controlplane/pkg/authz/authz_consistency_test.go +++ b/app/controlplane/pkg/authz/authz_consistency_test.go @@ -70,7 +70,6 @@ var authzExemptProcedures = map[string]struct{}{ "/controlplane.v1.SigningService/GetTrustedRoot": {}, "/controlplane.v1.StatusService/Infoz": {}, "/controlplane.v1.StatusService/Statusz": {}, - "/controlplane.v1.ReferrerService/DiscoverPublicShared": {}, } // adminOnlyProcedures lists controlplane.v1 procedures that reach the authorization middleware but diff --git a/app/controlplane/pkg/biz/casmapping.go b/app/controlplane/pkg/biz/casmapping.go index d2d76c0d7..2cc2ad3ff 100644 --- a/app/controlplane/pkg/biz/casmapping.go +++ b/app/controlplane/pkg/biz/casmapping.go @@ -36,9 +36,7 @@ type CASMapping struct { CASBackend *CASBackend Digest string CreatedAt *time.Time - // A public mapping means that the material/attestation can be downloaded by anyone - Public bool - ProjectID uuid.UUID + ProjectID uuid.UUID } type CASMappingFindOptions struct { @@ -52,9 +50,6 @@ type CASMappingRepo interface { // FindByDigestInOrgs returns a single accessible mapping for the digest within the given orgs // (honouring project RBAC), preferring the default backend. Returns (nil, nil) when none exists. FindByDigestInOrgs(ctx context.Context, digest string, orgs []uuid.UUID, projectIDs map[uuid.UUID][]uuid.UUID) (*CASMapping, error) - // FindPublicByDigest returns a single public mapping for the digest, preferring the default - // backend. Returns (nil, nil) when no public mapping exists. - FindPublicByDigest(ctx context.Context, digest string) (*CASMapping, error) } type CASMappingUseCase struct { @@ -91,10 +86,8 @@ func (uc *CASMappingUseCase) Create(ctx context.Context, digest string, casBacke } // FindCASMappingForDownloadByUser returns the CASMapping appropriate for the given digest and user. -// This means, in order: -// 1 - Any mapping that points to an organization which the user is member of. -// 1.1 If there are multiple mappings, it will pick the default one or the first one. -// 2 - Any mapping that is public. +// It returns a mapping that points to an organization the user is a member of (honoring project +// RBAC); if there are multiple, it picks the default one or the first one. func (uc *CASMappingUseCase) FindCASMappingForDownloadByUser(ctx context.Context, digest string, userID string) (*CASMapping, error) { ctx, span := otelx.Start(ctx, casMappingTracer, "CASMappingUseCase.FindCASMappingForDownloadByUser") defer span.End() @@ -132,7 +125,7 @@ func (uc *CASMappingUseCase) FindCASMappingForDownloadByOrg(ctx context.Context, // log the result defer func() { if result != nil { - uc.logger.Infow("msg", "mapping found!", "digest", digest, "orgs", orgs, "casBackend", result.CASBackend.ID, "default", result.CASBackend.Default, "public", result.Public) + uc.logger.Infow("msg", "mapping found!", "digest", digest, "orgs", orgs, "casBackend", result.CASBackend.ID, "default", result.CASBackend.Default) } else if err == nil || IsNotFound(err) { uc.logger.Infow("msg", "no mapping found!", "digest", digest, "orgs", orgs) } @@ -142,23 +135,14 @@ func (uc *CASMappingUseCase) FindCASMappingForDownloadByOrg(ctx context.Context, return nil, NewErrValidationStr("no organizations provided") } - // 1 - A mapping reachable through one of the user's orgs (honouring project RBAC), selected and + // A mapping reachable through one of the user's orgs (honouring project RBAC), selected and // bounded in the database. This is the common path and stays cheap regardless of how many // mappings a digest has accumulated. mapping, err := uc.repo.FindByDigestInOrgs(ctx, digest, orgs, projectIDs) if err != nil { return nil, fmt.Errorf("failed to find cas mapping in orgs: %w", err) - } else if mapping != nil { - return mapping, nil - } - - // 2 - Otherwise, fall back to a public mapping. This only runs when the requester has no - // org-level access to the digest. - mapping, err = uc.repo.FindPublicByDigest(ctx, digest) - if err != nil { - return nil, fmt.Errorf("failed to find public cas mapping: %w", err) } else if mapping == nil { - uc.logger.Warnw("msg", "digest exist but user does not have access to it", "digest", digest, "orgs", orgs) + uc.logger.Warnw("msg", "digest not accessible to the requesting orgs", "digest", digest, "orgs", orgs) return nil, NewErrNotFound("digest not found in any mapping") } diff --git a/app/controlplane/pkg/biz/casmapping_integration_test.go b/app/controlplane/pkg/biz/casmapping_integration_test.go index 42a5ccb74..909dce304 100644 --- a/app/controlplane/pkg/biz/casmapping_integration_test.go +++ b/app/controlplane/pkg/biz/casmapping_integration_test.go @@ -81,11 +81,11 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadUser() { s.Nil(mapping) }) - s.Run("userOrg1And2 can download validDigestPublic from org3", func() { + s.Run("userOrg1And2 can not download validDigestPublic from org3", func() { + // Cross-org download is no longer possible: access is granted through org membership only. mapping, err := s.CASMapping.FindCASMappingForDownloadByUser(context.TODO(), validDigestPublic, s.userOrg1And2.ID) - s.NoError(err) - s.NotNil(mapping) - s.Equal(s.casBackend3.ID, mapping.CASBackend.ID) + s.Error(err) + s.Nil(mapping) }) s.Run("userOrg2 can download validDigest2 from org2", func() { @@ -95,11 +95,10 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadUser() { s.Equal(s.casBackend2.ID, mapping.CASBackend.ID) }) - s.Run("userOrg2 can download validDigestPublic from org3", func() { + s.Run("userOrg2 can not download validDigestPublic from org3", func() { mapping, err := s.CASMapping.FindCASMappingForDownloadByUser(context.TODO(), validDigestPublic, s.userOrg2.ID) - s.NoError(err) - s.NotNil(mapping) - s.Equal(s.casBackend3.ID, mapping.CASBackend.ID) + s.Error(err) + s.Nil(mapping) }) s.Run("userOrg2 can download validDigest from org2", func() { @@ -133,11 +132,10 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadByOrg() { s.Equal(s.casBackend1.ID, mapping.CASBackend.ID) }) - s.Run("validDigestPublic is available from any org", func() { + s.Run("validDigestPublic is not available from an unrelated org", func() { mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigestPublic, []uuid.UUID{uuid.New()}, nil) - s.NoError(err) - s.NotNil(mapping) - s.Equal(s.casBackend3.ID, mapping.CASBackend.ID) + s.Error(err) + s.Nil(mapping) }) s.Run("validDigestWithoutRun is available only to org 3", func() { @@ -191,20 +189,6 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadPrefersDefaultBack s.Require().NotNil(mapping) s.Equal(nonDefaultBackend.ID, mapping.CASBackend.ID) }) - - s.Run("public download returns the default backend even when it is mapped last", func() { - // Public mappings (workflow is public) across two backends, non-default created first. - _, err := s.CASMapping.Create(ctx, validDigestPublic, nonDefaultBackend.ID.String(), &biz.CASMappingCreateOpts{WorkflowRunID: &s.publicWorkflowRun.ID}) - require.NoError(s.T(), err) - _, err = s.CASMapping.Create(ctx, validDigestPublic, s.casBackend1.ID.String(), &biz.CASMappingCreateOpts{WorkflowRunID: &s.publicWorkflowRun.ID}) - require.NoError(s.T(), err) - - // A requester with no access to org1 falls back to the public mappings. - mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigestPublic, []uuid.UUID{uuid.New()}, nil) - s.NoError(err) - s.Require().NotNil(mapping) - s.Equal(s.casBackend1.ID, mapping.CASBackend.ID) - }) } // When RBAC is enabled for an org (projectIDs carries an entry for it), only mappings whose project @@ -266,23 +250,6 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadSkipsSoftDeleted() s.Error(err) s.Nil(mapping) }) - - s.Run("public download skips a mapping whose workflow is soft-deleted", func() { - _, err := s.CASMapping.Create(ctx, validDigest2, s.casBackend1.ID.String(), &biz.CASMappingCreateOpts{WorkflowRunID: &s.publicWorkflowRun.ID}) - require.NoError(s.T(), err) - - // A non-member can reach it through the public fallback while the workflow is public. - mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigest2, []uuid.UUID{uuid.New()}, nil) - s.NoError(err) - s.Require().NotNil(mapping) - - require.NoError(s.T(), s.Workflow.Delete(ctx, s.org1.ID, s.publicWorkflow.ID.String())) - - // Once the workflow is soft-deleted the mapping is no longer public. - mapping, err = s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigest2, []uuid.UUID{uuid.New()}, nil) - s.Error(err) - s.Nil(mapping) - }) } func (s *casMappingIntegrationSuite) TestCreate() { @@ -292,7 +259,6 @@ func (s *casMappingIntegrationSuite) TestCreate() { casBackendID uuid.UUID workflowRunID *uuid.UUID wantErr bool - wantPublic bool }{ { name: "valid", @@ -335,17 +301,15 @@ func (s *casMappingIntegrationSuite) TestCreate() { wantErr: true, }, { - name: "public workflowrun", + name: "associated to a workflowrun", digest: validDigest, casBackendID: s.casBackend1.ID, workflowRunID: biz.ToPtr(s.publicWorkflowRun.ID), - wantPublic: true, }, { name: "not associated to any workflowrun", digest: validDigest, casBackendID: s.casBackend1.ID, - wantPublic: false, }, } @@ -354,7 +318,6 @@ func (s *casMappingIntegrationSuite) TestCreate() { Digest: validDigest, CASBackend: &biz.CASBackend{ID: s.casBackend1.ID}, OrgID: s.casBackend1.OrganizationID, - Public: tc.wantPublic, } if tc.workflowRunID != nil { @@ -425,7 +388,7 @@ func (s *casMappingIntegrationSuite) SetupTest() { s.projectID = workflow.ProjectID - publicWorkflow, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-workflow-public", OrgID: s.org1.ID, Public: true, Project: "test-project"}) + publicWorkflow, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-workflow-public", OrgID: s.org1.ID, Project: "test-project"}) assert.NoError(err) s.publicWorkflow = publicWorkflow diff --git a/app/controlplane/pkg/biz/casmapping_test.go b/app/controlplane/pkg/biz/casmapping_test.go index 5bb757128..3b0b81a64 100644 --- a/app/controlplane/pkg/biz/casmapping_test.go +++ b/app/controlplane/pkg/biz/casmapping_test.go @@ -72,7 +72,6 @@ func (s *casMappingSuite) TestCreate() { CASBackend: &biz.CASBackend{ID: validUUID}, WorkflowRunID: validUUID, OrgID: validUUID, - Public: false, } // Mock successful repo call diff --git a/app/controlplane/pkg/biz/mocks/CASMappingRepo.go b/app/controlplane/pkg/biz/mocks/CASMappingRepo.go index 55639e8e3..6b36c85f9 100644 --- a/app/controlplane/pkg/biz/mocks/CASMappingRepo.go +++ b/app/controlplane/pkg/biz/mocks/CASMappingRepo.go @@ -198,71 +198,3 @@ func (_c *CASMappingRepo_FindByDigestInOrgs_Call) RunAndReturn(run func(ctx cont _c.Call.Return(run) return _c } - -// FindPublicByDigest provides a mock function for the type CASMappingRepo -func (_mock *CASMappingRepo) FindPublicByDigest(ctx context.Context, digest string) (*biz.CASMapping, error) { - ret := _mock.Called(ctx, digest) - - if len(ret) == 0 { - panic("no return value specified for FindPublicByDigest") - } - - var r0 *biz.CASMapping - var r1 error - if returnFunc, ok := ret.Get(0).(func(context.Context, string) (*biz.CASMapping, error)); ok { - return returnFunc(ctx, digest) - } - if returnFunc, ok := ret.Get(0).(func(context.Context, string) *biz.CASMapping); ok { - r0 = returnFunc(ctx, digest) - } else { - if ret.Get(0) != nil { - r0 = ret.Get(0).(*biz.CASMapping) - } - } - if returnFunc, ok := ret.Get(1).(func(context.Context, string) error); ok { - r1 = returnFunc(ctx, digest) - } else { - r1 = ret.Error(1) - } - return r0, r1 -} - -// CASMappingRepo_FindPublicByDigest_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindPublicByDigest' -type CASMappingRepo_FindPublicByDigest_Call struct { - *mock.Call -} - -// FindPublicByDigest is a helper method to define mock.On call -// - ctx context.Context -// - digest string -func (_e *CASMappingRepo_Expecter) FindPublicByDigest(ctx interface{}, digest interface{}) *CASMappingRepo_FindPublicByDigest_Call { - return &CASMappingRepo_FindPublicByDigest_Call{Call: _e.mock.On("FindPublicByDigest", ctx, digest)} -} - -func (_c *CASMappingRepo_FindPublicByDigest_Call) Run(run func(ctx context.Context, digest string)) *CASMappingRepo_FindPublicByDigest_Call { - _c.Call.Run(func(args mock.Arguments) { - var arg0 context.Context - if args[0] != nil { - arg0 = args[0].(context.Context) - } - var arg1 string - if args[1] != nil { - arg1 = args[1].(string) - } - run( - arg0, - arg1, - ) - }) - return _c -} - -func (_c *CASMappingRepo_FindPublicByDigest_Call) Return(cASMapping *biz.CASMapping, err error) *CASMappingRepo_FindPublicByDigest_Call { - _c.Call.Return(cASMapping, err) - return _c -} - -func (_c *CASMappingRepo_FindPublicByDigest_Call) RunAndReturn(run func(ctx context.Context, digest string) (*biz.CASMapping, error)) *CASMappingRepo_FindPublicByDigest_Call { - _c.Call.Return(run) - return _c -} diff --git a/app/controlplane/pkg/biz/referrer.go b/app/controlplane/pkg/biz/referrer.go index 48c6022db..c607d7e9e 100644 --- a/app/controlplane/pkg/biz/referrer.go +++ b/app/controlplane/pkg/biz/referrer.go @@ -23,7 +23,6 @@ import ( "sort" "time" - conf "github.com/chainloop-dev/chainloop/app/controlplane/internal/conf/controlplane/config/v1" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/pagination" v2 "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/api/attestation/v1" "github.com/chainloop-dev/chainloop/pkg/attestation/renderer/chainloop" @@ -43,44 +42,17 @@ type ReferrerUseCase struct { membershipUseCase *MembershipUseCase workflowRepo WorkflowRepo logger *log.Helper - indexConfig *ReferrerSharedIndexConfig } -type ReferrerSharedIndexConfig struct { - Enabled bool - AllowedOrgs []string -} - -func NewIndexConfig(cfg *conf.ReferrerSharedIndex) (*ReferrerSharedIndexConfig, error) { - // referrer shared index is optional, if not configured, it's disabled - if cfg == nil { - return nil, nil - } - - if err := cfg.ValidateOrgs(); err != nil { - return nil, fmt.Errorf("invalid shared index config: %w", err) - } - - return &ReferrerSharedIndexConfig{ - Enabled: cfg.Enabled, - AllowedOrgs: cfg.AllowedOrgs, - }, nil -} - -func NewReferrerUseCase(repo ReferrerRepo, wfRepo WorkflowRepo, membershipUseCase *MembershipUseCase, indexCfg *ReferrerSharedIndexConfig, l log.Logger) (*ReferrerUseCase, error) { +func NewReferrerUseCase(repo ReferrerRepo, wfRepo WorkflowRepo, membershipUseCase *MembershipUseCase, l log.Logger) (*ReferrerUseCase, error) { if l == nil { l = log.NewStdLogger(io.Discard) } logger := servicelogger.ScopedHelper(l, "biz/referrer") - if indexCfg != nil && indexCfg.Enabled { - logger.Infow("msg", "shared index enabled", "allowedOrgs", indexCfg.AllowedOrgs) - } - return &ReferrerUseCase{ repo: repo, membershipUseCase: membershipUseCase, - indexConfig: indexCfg, workflowRepo: wfRepo, logger: logger, }, nil @@ -104,9 +76,7 @@ type Referrer struct { Kind string // Wether the item is downloadable from CAS or not Downloadable bool - // If this referrer is part of a public workflow - InPublicWorkflow bool - References []*Referrer + References []*Referrer Metadata, Annotations map[string]string } @@ -127,8 +97,6 @@ type ProjectID = uuid.UUID type GetFromRootFilters struct { // RootKind is the kind of the root referrer, i.e ATTESTATION RootKind *string - // Wether to filter by visibility or not - Public *bool // ProjectIDs stores visible projects by org for the requesting user. // If an org entry doesn't exist, it means that RBAC is not applied, hence all projects in that org are visible ProjectIDs map[OrgID][]ProjectID @@ -162,12 +130,6 @@ func WithVisibleProjectIDs(projectIDs map[OrgID][]ProjectID) func(*GetFromRootFi } } -func WithPublicVisibility(public bool) func(*GetFromRootFilters) { - return func(o *GetFromRootFilters) { - o.Public = &public - } -} - // ExtractAndPersist extracts the referrers (subject + materials) from the given attestation // and store it as part of the referrers index table func (s *ReferrerUseCase) ExtractAndPersist(ctx context.Context, att *dsse.Envelope, digest cr_v1.Hash, workflowID string) error { @@ -215,9 +177,8 @@ func (s *ReferrerUseCase) GetFromRootUser(ctx context.Context, digest, rootKind, return nil, "", err } - // We pass the list of organizationsIDs from where to look for the referrer - // For now we just pass the list of organizations the user is member of - // in the future we will expand this to publicly available orgs and so on. + // We pass the list of organizationsIDs from where to look for the referrer: + // the organizations the user is a member of. return s.GetFromRoot(ctx, digest, rootKind, userOrgs, projectIDs, p, extraFilters...) } @@ -248,47 +209,6 @@ func (s *ReferrerUseCase) GetFromRoot(ctx context.Context, digest, rootKind stri return ref, nextCursor, nil } -// Get the list of public referrers from organizations -// that have been allowed to be shown in a shared index -// NOTE: This is a public endpoint under /discover/[sha256:deadbeef] -func (s *ReferrerUseCase) GetFromRootInPublicSharedIndex(ctx context.Context, digest, rootKind string, p *pagination.CursorOptions) (*StoredReferrer, string, error) { - ctx, span := otelx.Start(ctx, referrerTracer, "ReferrerUseCase.GetFromRootInPublicSharedIndex") - defer span.End() - - if s.indexConfig == nil || !s.indexConfig.Enabled { - return nil, "", NewErrUnauthorizedStr("shared referrer index functionality is not enabled") - } - - // Load the organizations that are allowed to appear in the shared index - orgIDs := make([]uuid.UUID, 0) - for _, orgID := range s.indexConfig.AllowedOrgs { - orgUUID, err := uuid.Parse(orgID) - if err != nil { - return nil, "", NewErrInvalidUUID(err) - } - orgIDs = append(orgIDs, orgUUID) - } - - // and ask only for the public referrers of those orgs - filters := []GetFromRootFilter{WithPublicVisibility(true)} - if rootKind != "" { - filters = append(filters, WithKind(rootKind)) - } - - ref, nextCursor, err := s.repo.GetFromRoot(ctx, digest, orgIDs, p, filters...) - if err != nil { - if errors.As(err, &ErrAmbiguousReferrer{}) { - return nil, "", NewErrValidation(fmt.Errorf("please provide the referrer kind: %w", err)) - } - - return nil, "", fmt.Errorf("getting referrer from root: %w", err) - } else if ref == nil { - return nil, "", NewErrNotFound(fmt.Sprintf("artifact or piece of evidence with digest %s", digest)) - } - - return ref, nextCursor, nil -} - const ( // ReferrerAttestationType is the kind of the referrer that represents an attestation. ReferrerAttestationType = "ATTESTATION" diff --git a/app/controlplane/pkg/biz/referrer_integration_test.go b/app/controlplane/pkg/biz/referrer_integration_test.go index ad62e12ef..e73eb6207 100644 --- a/app/controlplane/pkg/biz/referrer_integration_test.go +++ b/app/controlplane/pkg/biz/referrer_integration_test.go @@ -18,8 +18,6 @@ package biz_test import ( "bytes" "context" - "encoding/json" - "os" "strings" "sync" "testing" @@ -32,91 +30,11 @@ import ( creds "github.com/chainloop-dev/chainloop/pkg/credentials/mocks" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/uuid" - "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" ) -func (s *referrerIntegrationTestSuite) TestGetFromRootInPublicSharedIndex() { - // Load attestation - attJSON, err := os.ReadFile("testdata/attestations/with-git-subject.json") - require.NoError(s.T(), err) - var envelope *dsse.Envelope - require.NoError(s.T(), json.Unmarshal(attJSON, &envelope)) - h, _, err := v1.SHA256(bytes.NewReader(attJSON)) - require.NoError(s.T(), err) - wantReferrerAtt := &biz.Referrer{ - Digest: h.String(), - Kind: "ATTESTATION", - Downloadable: true, - } - - // We'll store the attestation in the private only index - ctx := context.Background() - s.Run("public endpoint fails if feature not enabled", func() { - _, _, err := s.Referrer.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.ErrorContains(err, "not enabled") - }) - - s.Run("storing it associated with a private workflow keeps it private and not in the index", func() { - err = s.sharedEnabledUC.ExtractAndPersist(ctx, envelope, h, s.workflow1.ID.String()) - require.NoError(s.T(), err) - ref, _, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) - s.NoError(err) - s.False(ref.InPublicWorkflow) - res, _, err := s.sharedEnabledUC.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.True(biz.IsNotFound(err)) - s.Nil(res) - }) - - s.T().Run("storing it associated with a public workflow but not allowed org keeps it out of the index", func(t *testing.T) { - // Make workflow2 public - _, err := s.Workflow.Update(ctx, s.org2.ID, s.workflow2.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(t, err) - - err = s.sharedEnabledUC.ExtractAndPersist(ctx, envelope, h, s.workflow2.ID.String()) - require.NoError(s.T(), err) - // It's marked as public in the internal index - ref, _, err := s.sharedEnabledUC.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) - s.NoError(err) - s.True(ref.InPublicWorkflow) - - // But it's not in the public shared index because the org 2 is not whitelisted - res, _, err := s.sharedEnabledUC.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.True(biz.IsNotFound(err)) - s.Nil(res) - }) - - s.T().Run("it should appear if we whitelist org2", func(t *testing.T) { - uc, err := biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Membership, - &biz.ReferrerSharedIndexConfig{ - Enabled: true, - AllowedOrgs: []string{s.org2.ID}, - }, nil) - require.NoError(t, err) - // Now it's public since org2 is whitelisted - res, _, err := uc.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.NoError(err) - s.Equal(wantReferrerAtt.Digest, res.Digest) - }) - - s.T().Run("or we can make the workflow 1 public", func(t *testing.T) { - // reset workflow2 to private - _, err := s.Workflow.Update(ctx, s.org2.ID, s.workflow2.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(false)}) - require.NoError(t, err) - // Make workflow1 public - _, err = s.Workflow.Update(ctx, s.org1.ID, s.workflow1.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(t, err) - err = s.sharedEnabledUC.ExtractAndPersist(ctx, envelope, h, s.workflow2.ID.String()) - require.NoError(s.T(), err) - // Now it's public since org1 is whitelisted - res, _, err := s.sharedEnabledUC.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.NoError(err) - s.Equal(wantReferrerAtt.Digest, res.Digest) - }) -} - func (s *referrerIntegrationTestSuite) TestExtractAndPersistsDependentAttestation() { envelope, attJSON := testEnvelope(s.T(), "testdata/attestations/with-dependent-attestation.json") h, _, err := v1.SHA256(bytes.NewReader(attJSON)) @@ -407,27 +325,10 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() { s.Contains(gotDigests, "sha256:5f4d1baadaf3e439f769f11c7ba0c5f77dad27d00689144d1311b48e65818bbd") }) - s.T().Run("if all associated workflows are private, the referrer is private", func(t *testing.T) { + s.T().Run("returns the associated workflow IDs", func(_ *testing.T) { got, _, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) s.NoError(err) - s.False(got.InPublicWorkflow) s.Equal([]uuid.UUID{s.workflow2.ID, s.workflow1.ID}, got.WorkflowIDs) - for _, r := range got.References { - s.False(r.InPublicWorkflow) - } - }) - - s.T().Run("the referrer will be public if one associated workflow is public", func(t *testing.T) { - // Make workflow1 public - _, err := s.Workflow.Update(ctx, s.org1.ID, s.workflow1.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(t, err) - - got, _, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) - s.NoError(err) - s.True(got.InPublicWorkflow) - for _, r := range got.References { - s.True(r.InPublicWorkflow) - } }) } @@ -668,36 +569,6 @@ func (s *referrerIntegrationTestSuite) TestGetFromRootProjectVersionFilter() { s.Equal(sbomDigest, got.Digest) }) - s.Run("public workflow stays visible under the version filter regardless of RBAC", func() { - // A workflow whose project is NOT in the caller's RBAC-visible set, but which is public — - // matching isReferrerVisible's InPublicWorkflow short-circuit. The version filter must - // honor the same convention or it silently hides referrers that are otherwise visible. - wfPublic, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{ - Name: "wf-public", Team: "team", OrgID: s.org1.ID, Project: "public-proj", - }) - require.NoError(s.T(), err) - _, err = s.Workflow.Update(ctx, s.org1.ID, wfPublic.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(s.T(), err) - require.NoError(s.T(), s.Referrer.ExtractAndPersist(ctx, envelope, h, wfPublic.ID.String())) - - contractPublic, err := s.WorkflowContract.Describe(ctx, s.org1.ID, wfPublic.ContractID.String(), 0) - require.NoError(s.T(), err) - runPublic, err := s.WorkflowRun.Create(ctx, &biz.WorkflowRunCreateOpts{ - WorkflowID: wfPublic.ID.String(), ContractRevision: contractPublic, CASBackendID: casBackend.ID, - ProjectVersion: "v1.0.0", - }) - require.NoError(s.T(), err) - require.NoError(s.T(), s.Repos.WorkflowRunRepo.SaveAttestationDigest(ctx, runPublic.ID, h.String(), false)) - - // RBAC restricts the caller to project "test" — "public-proj" is NOT in their set. - rbac := map[biz.OrgID][]biz.ProjectID{s.org1UUID: {s.workflow1.ProjectID}} - - got, _, err := s.Referrer.GetFromRoot(ctx, sbomDigest, "", []uuid.UUID{s.org1UUID}, rbac, nil, biz.WithProjectScope("public-proj", "v1.0.0")) - s.NoError(err, "public workflow must remain discoverable even when RBAC excludes its project") - s.Require().NotNil(got) - s.Equal(sbomDigest, got.Digest) - }) - s.Run("material root cannot bypass version scoping by supplying a cursor", func() { // A second project version whose run points to an unrelated attestation digest, so the // SBOM (only referenced by the v1.0.0 attestation) does not belong to it. @@ -724,7 +595,6 @@ type referrerIntegrationTestSuite struct { workflow1, workflow2 *biz.Workflow org1UUID, org2UUID uuid.UUID user, user2 *biz.User - sharedEnabledUC *biz.ReferrerUseCase run *biz.WorkflowRun } @@ -765,13 +635,6 @@ func (s *referrerIntegrationTestSuite) SetupTest() { _, err = s.Membership.Create(ctx, s.org2.ID, s.user2.ID, biz.WithCurrentMembership()) require.NoError(s.T(), err) - s.sharedEnabledUC, err = biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Membership, - &biz.ReferrerSharedIndexConfig{ - Enabled: true, - AllowedOrgs: []string{s.org1.ID}, - }, nil) - require.NoError(s.T(), err) - // Find contract revision contractVersion, err := s.WorkflowContract.Describe(ctx, s.org1.ID, s.workflow1.ContractID.String(), 0) require.NoError(s.T(), err) diff --git a/app/controlplane/pkg/biz/referrer_test.go b/app/controlplane/pkg/biz/referrer_test.go index 50772bdf9..9399bb97f 100644 --- a/app/controlplane/pkg/biz/referrer_test.go +++ b/app/controlplane/pkg/biz/referrer_test.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -23,47 +23,10 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" ) -func (s *referrerTestSuite) TestInitialization() { - testCases := []struct { - name string - conf *ReferrerSharedIndexConfig - wantErrMsg string - }{ - { - name: "nil configuration", - }, - { - name: "disabled", - conf: &ReferrerSharedIndexConfig{ - Enabled: false, - }, - }, - { - name: "enabled with valid orgs", - conf: &ReferrerSharedIndexConfig{ - Enabled: true, - AllowedOrgs: []string{"00000000-0000-0000-0000-000000000000"}, - }, - }, - } - - for _, tc := range testCases { - s.T().Run(tc.name, func(t *testing.T) { - _, err := NewReferrerUseCase(nil, nil, nil, tc.conf, nil) - if tc.wantErrMsg != "" { - assert.EqualError(t, err, tc.wantErrMsg) - } else { - assert.NoError(t, err) - } - }) - } -} - func (s *referrerTestSuite) TestExtractReferrers() { var fullAttReferrer = &Referrer{ Digest: "sha256:63f811807585a7359882fc4e28bc8e08555d9743aa07a2965217b30ef2ba14a5", diff --git a/app/controlplane/pkg/biz/testhelpers/wire.go b/app/controlplane/pkg/biz/testhelpers/wire.go index 0149de519..6af7e31ba 100644 --- a/app/controlplane/pkg/biz/testhelpers/wire.go +++ b/app/controlplane/pkg/biz/testhelpers/wire.go @@ -50,7 +50,6 @@ func WireTestData(context.Context, *TestDatabase, *testing.T, log.Logger, creden wire.Build( data.ProviderSet, biz.ProviderSet, - wire.Value(&conf.ReferrerSharedIndex{}), wire.Struct(new(TestingUseCases), "*"), wire.Struct(new(TestingRepos), "*"), NewConfData, @@ -67,7 +66,6 @@ func WireTestData(context.Context, *TestDatabase, *testing.T, log.Logger, creden newJWTConfig, authzConfig, authzUseCaseConfig, - biz.NewIndexConfig, newAttestationBundleCache, newNilCASClient, newNoopTracerProvider, diff --git a/app/controlplane/pkg/biz/testhelpers/wire_gen.go b/app/controlplane/pkg/biz/testhelpers/wire_gen.go index a4cad431c..187fea5ee 100644 --- a/app/controlplane/pkg/biz/testhelpers/wire_gen.go +++ b/app/controlplane/pkg/biz/testhelpers/wire_gen.go @@ -148,13 +148,7 @@ func WireTestData(contextContext context.Context, testDatabase *TestDatabase, t return nil, nil, err } referrerRepo := data.NewReferrerRepo(dataData, workflowRepo, logger) - referrerSharedIndex := _wireReferrerSharedIndexValue - referrerSharedIndexConfig, err := biz.NewIndexConfig(referrerSharedIndex) - if err != nil { - cleanup() - return nil, nil, err - } - referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, referrerSharedIndexConfig, logger) + referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, logger) if err != nil { cleanup() return nil, nil, err @@ -218,10 +212,6 @@ func WireTestData(contextContext context.Context, testDatabase *TestDatabase, t }, nil } -var ( - _wireReferrerSharedIndexValue = &conf.ReferrerSharedIndex{} -) - // wire.go: func newAttestationBundleCache() *attestationbundle.Cache { diff --git a/app/controlplane/pkg/biz/workflow.go b/app/controlplane/pkg/biz/workflow.go index f869a5ad2..755f1c225 100644 --- a/app/controlplane/pkg/biz/workflow.go +++ b/app/controlplane/pkg/biz/workflow.go @@ -42,11 +42,7 @@ type Workflow struct { ContractName string // Latest available contract revision ContractRevisionLatest int - // Public means that the associated workflow runs, attestations and materials - // are reachable by other users, regardless of their organization - // This field is also used to calculate if an user can download attestations/materials from the CAS - Public bool - ProjectID uuid.UUID + ProjectID uuid.UUID // WorkflowTemplateID references the platform workflow template this workflow was created from WorkflowTemplateID *uuid.UUID } @@ -78,9 +74,6 @@ type WorkflowCreateOpts struct { ContractBytes []byte // DetectedContract is the detected contract from the contract bytes DetectedContract *Contract - // Public means that the associated workflow runs, attestations and materials - // are reachable by other users, regardless of their organization - Public bool // Owner identifies the user to be marked as owner of the project Owner *uuid.UUID @@ -96,7 +89,6 @@ type WorkflowCreateOpts struct { type WorkflowUpdateOpts struct { Team, Description, ContractID *string - Public *bool } // WorkflowListOpts is the options to filter the list of workflows @@ -109,8 +101,6 @@ type WorkflowListOpts struct { WorkflowTeam string // WorkflowProjectNames is the project name of the workflow WorkflowProjectNames []string - // WorkflowPublic is the flag to filter public workflows - WorkflowPublic *bool // WorkflowActiveWindow is the active window of the workflow WorkflowRunRunnerType string // WorkflowActiveWindow is the active window of the workflow @@ -241,7 +231,6 @@ func (uc *WorkflowUseCase) Create(ctx context.Context, opts *WorkflowCreateOpts) WorkflowContractName: wf.ContractName, WorkflowDescription: &opts.Description, Team: &opts.Team, - Public: opts.Public, }, &orgUUID) // Dispatch events to the audit log regarding the contract @@ -330,7 +319,6 @@ func (uc *WorkflowUseCase) dispatchWorkflowUpdatedEvent(ctx context.Context, wf }, NewDescription: opts.Description, NewTeam: opts.Team, - NewPublic: opts.Public, } if opts.ContractID != nil && newWfContract != nil { diff --git a/app/controlplane/pkg/biz/workflow_integration_test.go b/app/controlplane/pkg/biz/workflow_integration_test.go index 842334589..4b90568fa 100644 --- a/app/controlplane/pkg/biz/workflow_integration_test.go +++ b/app/controlplane/pkg/biz/workflow_integration_test.go @@ -299,10 +299,6 @@ func (s *workflowIntegrationTestSuite) TestUpdate() { contract2, err := s.WorkflowContract.Create(ctx, &biz.WorkflowContractCreateOpts{Name: "contract-2", OrgID: org2.ID}) require.NoError(s.T(), err) - s.Run("by default the workflow is private", func() { - s.False(workflow.Public) - }) - s.Run("can't update if no changes are provided", func() { got, err := s.Workflow.Update(ctx, org2.ID, workflow.ID.String(), nil) s.True(biz.IsErrValidation(err)) @@ -346,17 +342,12 @@ func (s *workflowIntegrationTestSuite) TestUpdate() { { name: "update description", updates: &biz.WorkflowUpdateOpts{Description: toPtrS("new description")}, - want: &biz.Workflow{Description: "new description", Team: team, Project: project, Public: false}, - }, - { - name: "update visibility", - updates: &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}, - want: &biz.Workflow{Description: description, Team: team, Project: project, Public: true}, + want: &biz.Workflow{Description: "new description", Team: team, Project: project}, }, { name: "update all options", - updates: &biz.WorkflowUpdateOpts{Team: toPtrS("new team"), Public: toPtrBool(true)}, - want: &biz.Workflow{Description: description, Team: "new team", Project: "test-project", Public: true}, + updates: &biz.WorkflowUpdateOpts{Team: toPtrS("new team")}, + want: &biz.Workflow{Description: description, Team: "new team", Project: "test-project"}, }, { name: "can update contract", @@ -503,17 +494,6 @@ func (s *workflowListIntegrationTestSuite) TestList() { s.Len(workflows, 1) }) - s.Run("list workflows with workflow public filter", func() { - _, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{OrgID: s.org.ID, Name: "name1", Project: project, Team: team, Description: description, Public: true}) - require.NoError(s.T(), err) - _, err = s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{OrgID: s.org.ID, Name: "name2", Project: project, Team: team, Description: description, Public: false}) - require.NoError(s.T(), err) - - workflows, _, err := s.Workflow.List(ctx, s.org.ID, &biz.WorkflowListOpts{WorkflowPublic: toPtrBool(true)}, nil) - s.NoError(err) - s.Len(workflows, 1) - }) - s.Run("list workflows with workflow run runner type filter", func() { _, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{OrgID: s.org.ID, Name: "name1", Project: project, Team: team, Description: description}) require.NoError(s.T(), err) diff --git a/app/controlplane/pkg/biz/workflowrun.go b/app/controlplane/pkg/biz/workflowrun.go index 7c9f96684..86fcde717 100644 --- a/app/controlplane/pkg/biz/workflowrun.go +++ b/app/controlplane/pkg/biz/workflowrun.go @@ -533,35 +533,6 @@ func (uc *WorkflowRunUseCase) List(ctx context.Context, orgID string, f *RunList return uc.wfRunRepo.List(ctx, orgUUID, f, p) } -// Returns the workflow run with the provided ID if it belongs to the org or its public -func (uc *WorkflowRunUseCase) GetByIDInOrgOrPublic(ctx context.Context, orgID, runID string) (*WorkflowRun, error) { - ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByIDInOrgOrPublic") - defer span.End() - - orgUUID, err := uuid.Parse(orgID) - if err != nil { - return nil, NewErrInvalidUUID(err) - } - - runUUID, err := uuid.Parse(runID) - if err != nil { - return nil, NewErrInvalidUUID(err) - } - - wfrun, err := uc.wfRunRepo.FindByID(ctx, runUUID) - if err != nil { - return nil, fmt.Errorf("finding workflow run: %w", err) - } - - // if available, add attestation from attestation bundles - if err = uc.addAttestationFromBundle(ctx, wfrun); err != nil { - return nil, fmt.Errorf("retrieving attestation from bundle: %w", err) - } - - // If the workflow is public or belongs to the org we can return it - return workflowRunInOrgOrPublic(wfrun, orgUUID) -} - // Returns the workflow run with the provided ID if it belongs to the org func (uc *WorkflowRunUseCase) GetByIDInOrg(ctx context.Context, orgID, runID string) (*WorkflowRun, error) { ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByIDInOrg") @@ -654,8 +625,11 @@ func trustedRootBizToVerifier(biztr *TrustedRoot) (*verifier.TrustedRoot, error) return tr, nil } -func (uc *WorkflowRunUseCase) GetByDigestInOrgOrPublic(ctx context.Context, orgID, digest string) (*WorkflowRun, error) { - ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByDigestInOrgOrPublic") +// GetByDigestInOrg returns the workflow run identified by the given attestation digest, but only +// when it belongs to the provided organization. A run in another organization is reported as not +// found (identical to a nonexistent digest) so it does not leak cross-tenant existence. +func (uc *WorkflowRunUseCase) GetByDigestInOrg(ctx context.Context, orgID, digest string) (*WorkflowRun, error) { + ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByDigestInOrg") defer span.End() orgUUID, err := uuid.Parse(orgID) @@ -672,13 +646,16 @@ func (uc *WorkflowRunUseCase) GetByDigestInOrgOrPublic(ctx context.Context, orgI return nil, fmt.Errorf("finding workflow run: %w", err) } + if wfrun == nil || wfrun.Workflow.OrgID != orgUUID { + return nil, NewErrNotFound("workflow run") + } + // if available, add attestation from attestation bundles if err = uc.addAttestationFromBundle(ctx, wfrun); err != nil { return nil, fmt.Errorf("retrieving attestation from bundle: %w", err) } - // If the workflow is public or belongs to the org we can return it - return workflowRunInOrgOrPublic(wfrun, orgUUID) + return wfrun, nil } // addAttestationFromBundle resolves the attestation bundle using cache → DB → CAS fallback. @@ -772,15 +749,6 @@ func (uc *WorkflowRunUseCase) downloadBundleFromCAS(ctx context.Context, digest return buf.Bytes(), nil } -// filter the workflow runs that belong to the org or are public -func workflowRunInOrgOrPublic(wfRun *WorkflowRun, orgID uuid.UUID) (*WorkflowRun, error) { - if wfRun == nil || (wfRun.Workflow.OrgID != orgID && !wfRun.Workflow.Public) { - return nil, NewErrNotFound("workflow run") - } - - return wfRun, nil -} - // Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues func (WorkflowRunStatus) Values() (kinds []string) { for _, s := range []WorkflowRunStatus{ diff --git a/app/controlplane/pkg/biz/workflowrun_integration_test.go b/app/controlplane/pkg/biz/workflowrun_integration_test.go index e193acd73..4eb9199a3 100644 --- a/app/controlplane/pkg/biz/workflowrun_integration_test.go +++ b/app/controlplane/pkg/biz/workflowrun_integration_test.go @@ -247,7 +247,7 @@ func (s *workflowRunIntegrationTestSuite) TestSaveAttestation() { assert.NoError(err) // Retrieve attestation ref from storage and compare - r, err := s.WorkflowRun.GetByIDInOrgOrPublic(ctx, s.org.ID, run.ID.String()) + r, err := s.WorkflowRun.GetByIDInOrg(ctx, s.org.ID, run.ID.String()) assert.NoError(err) assert.Equal(bundleHash.String(), r.Attestation.Digest) env := attestation.DSSEEnvelopeFromBundle(bundle) @@ -281,7 +281,7 @@ func (s *workflowRunIntegrationTestSuite) TestSaveAttestation() { // digest is recorded on the workflow run err = s.WorkflowRun.MarkAsFinished(ctx, run.ID.String(), biz.WorkflowRunSuccess, "") assert.NoError(err) - stored, err := s.WorkflowRun.GetByIDInOrgOrPublic(ctx, s.org.ID, run.ID.String()) + stored, err := s.WorkflowRun.GetByIDInOrg(ctx, s.org.ID, run.ID.String()) assert.NoError(err) assert.Equal(bundleHash.String(), stored.Attestation.Digest) @@ -407,7 +407,7 @@ func (s *workflowRunIntegrationTestSuite) TestReleasedVersionImmutability() { }) } -func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrgOrPublic() { +func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrg() { assert := assert.New(s.T()) ctx := context.Background() testCases := []struct { @@ -434,15 +434,16 @@ func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrgOrPublic() { wantErr: true, }, { - name: "can access workflowRun from other org if public", - orgID: s.org.ID, - runID: s.runOrg2Public.ID.String(), + name: "can't access workflowRun from other org even if formerly public", + orgID: s.org.ID, + runID: s.runOrg2Public.ID.String(), + wantErr: true, }, } for _, tc := range testCases { s.T().Run(tc.name, func(t *testing.T) { - run, err := s.WorkflowRun.GetByIDInOrgOrPublic(ctx, tc.orgID, tc.runID) + run, err := s.WorkflowRun.GetByIDInOrg(ctx, tc.orgID, tc.runID) if tc.wantErr { assert.Error(err) assert.True(biz.IsNotFound(err)) @@ -454,7 +455,7 @@ func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrgOrPublic() { } } -func (s *workflowRunIntegrationTestSuite) TestGetByDigestInOrgOrPublic() { +func (s *workflowRunIntegrationTestSuite) TestGetByDigestInOrg() { assert := assert.New(s.T()) ctx := context.Background() testCases := []struct { @@ -487,15 +488,16 @@ func (s *workflowRunIntegrationTestSuite) TestGetByDigestInOrgOrPublic() { errTypeChecker: biz.IsNotFound, }, { - name: "can access workflowRun from other org if public", - orgID: s.org.ID, - digest: s.digestAttPublic, + name: "can't access workflowRun from other org even if formerly public", + orgID: s.org.ID, + digest: s.digestAttPublic, + errTypeChecker: biz.IsNotFound, }, } for _, tc := range testCases { s.T().Run(tc.name, func(t *testing.T) { - run, err := s.WorkflowRun.GetByDigestInOrgOrPublic(ctx, tc.orgID, tc.digest) + run, err := s.WorkflowRun.GetByDigestInOrg(ctx, tc.orgID, tc.digest) if tc.errTypeChecker != nil { assert.Error(err) assert.True(tc.errTypeChecker(err)) @@ -1075,7 +1077,7 @@ func setupWorkflowRunTestData(t *testing.T, suite *testhelpers.TestingUseCases, s.workflowOrg2, err = suite.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-workflow", OrgID: s.org2.ID, Project: "test-project"}) assert.NoError(err) // Public workflow - s.workflowPublicOrg2, err = suite.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-public-workflow", OrgID: s.org2.ID, Public: true, Project: "test-project"}) + s.workflowPublicOrg2, err = suite.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-public-workflow", OrgID: s.org2.ID, Project: "test-project"}) assert.NoError(err) // Find contract revision diff --git a/app/controlplane/pkg/data/casmapping.go b/app/controlplane/pkg/data/casmapping.go index 08ad455bc..d75b0d1f6 100644 --- a/app/controlplane/pkg/data/casmapping.go +++ b/app/controlplane/pkg/data/casmapping.go @@ -25,7 +25,6 @@ import ( "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/casbackend" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/casmapping" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/predicate" - "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/workflow" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/workflowrun" "github.com/chainloop-dev/chainloop/pkg/otelx" "github.com/go-kratos/kratos/v2/log" @@ -59,6 +58,17 @@ func (r *CASMappingRepo) Create(ctx context.Context, digest string, casBackendID return nil, fmt.Errorf("cas backend not found") } + // workflow_run_id has no DB-level foreign key, so validate the referenced run exists to avoid + // creating a mapping that points to a non-existent workflow run. + if opts != nil && opts.WorkflowRunID != nil { + exists, err := r.data.DB.WorkflowRun.Query().Where(workflowrun.ID(*opts.WorkflowRunID)).Exist(ctx) + if err != nil { + return nil, fmt.Errorf("failed to check workflow run: %w", err) + } else if !exists { + return nil, biz.NewErrNotFound("workflow run") + } + } + query := r.data.DB.CASMapping.Create(). SetDigest(digest). SetCasBackendID(casBackendID). @@ -112,42 +122,7 @@ func (r *CASMappingRepo) FindByDigestInOrgs(ctx context.Context, digest string, return nil, err } - // Access is granted through org membership, independent of the workflow's public visibility. - return entCASMappingToBiz(m, false) -} - -// FindPublicByDigest returns a single CAS mapping for the digest that was produced by a public -// workflow, preferring the default backend. It returns (nil, nil) when no public mapping exists. -// -// A public mapping can live in any organization, so visibility is matched on the mapping's workflow -// rather than on org membership. As there is no ent edge from a mapping to its workflow run, the -// match is expressed as a subquery on workflow_run_id. The selection is bounded with a LIMIT 1. -func (r *CASMappingRepo) FindPublicByDigest(ctx context.Context, digest string) (*biz.CASMapping, error) { - ctx, span := otelx.Start(ctx, casMappingRepoTracer, "CASMappingRepo.FindPublicByDigest") - defer span.End() - - publicWorkflowRun := func(s *sql.Selector) { - wr := sql.Table(workflowrun.Table) - wf := sql.Table(workflow.Table) - s.Where(sql.In( - s.C(casmapping.FieldWorkflowRunID), - sql.Select(wr.C(workflowrun.FieldID)). - From(wr). - Join(wf).On(wr.C(workflowrun.FieldWorkflowID), wf.C(workflow.FieldID)). - // The workflow must be public and not (soft) deleted. - Where(sql.And( - sql.EQ(wf.C(workflow.FieldPublic), true), - sql.IsNull(wf.C(workflow.FieldDeletedAt)), - )), - )) - } - - m, err := r.findOnePreferringDefault(ctx, casmapping.Digest(digest), publicWorkflowRun) - if err != nil || m == nil { - return nil, err - } - - return entCASMappingToBiz(m, true) + return entCASMappingToBiz(m) } // findOnePreferringDefault returns the first CAS mapping matching the given predicates, preferring @@ -188,42 +163,10 @@ func (r *CASMappingRepo) findByID(ctx context.Context, id uuid.UUID) (*biz.CASMa return nil, nil } - public, err := r.IsPublic(ctx, r.data.DB, backend.WorkflowRunID) - if err != nil { - if ent.IsNotFound(err) { - return nil, biz.NewErrNotFound("cas mapping") - } - - return nil, fmt.Errorf("failed to check if workflow is public: %w", err) - } - - return entCASMappingToBiz(backend, public) -} - -func (r *CASMappingRepo) IsPublic(ctx context.Context, client *ent.Client, runID uuid.UUID) (bool, error) { - ctx, span := otelx.Start(ctx, casMappingRepoTracer, "CASMappingRepo.IsPublic") - defer span.End() - - // If the workflow run id is not set, the mapping is not public - if runID == uuid.Nil { - return false, nil - } - - // Check if the workflow is public - wr, err := client.WorkflowRun.Query().Where(workflowrun.ID(runID)).Select(workflowrun.FieldWorkflowID).First(ctx) - if err != nil { - return false, fmt.Errorf("failed to get workflow run: %w", err) - } - - workflow, err := client.Workflow.Query().Where(workflow.ID(wr.WorkflowID)).Select(workflow.FieldPublic).First(ctx) - if err != nil { - return false, fmt.Errorf("failed to get workflow: %w", err) - } - - return workflow.Public, nil + return entCASMappingToBiz(backend) } -func entCASMappingToBiz(input *ent.CASMapping, public bool) (*biz.CASMapping, error) { +func entCASMappingToBiz(input *ent.CASMapping) (*biz.CASMapping, error) { if input == nil { return nil, nil } @@ -241,7 +184,6 @@ func entCASMappingToBiz(input *ent.CASMapping, public bool) (*biz.CASMapping, er WorkflowRunID: input.WorkflowRunID, OrgID: input.OrganizationID, CreatedAt: toTimePtr(input.CreatedAt), - Public: public, ProjectID: input.ProjectID, }, nil } diff --git a/app/controlplane/pkg/data/ent/schema/workflow.go b/app/controlplane/pkg/data/ent/schema/workflow.go index d8146622d..f21dbc61b 100644 --- a/app/controlplane/pkg/data/ent/schema/workflow.go +++ b/app/controlplane/pkg/data/ent/schema/workflow.go @@ -52,7 +52,10 @@ func (Workflow) Fields() []ent.Field { Default: "CURRENT_TIMESTAMP", }), field.Time("deleted_at").Optional(), - // public means that the workflow runs, attestations and materials are reachable + // Deprecated: the public workflow feature was removed and this column is no longer read or + // written by the application. It is intentionally kept (not dropped) so that pods still + // running the previous image—which SELECT this column—keep working during rollout. The + // column will be dropped in a follow-up migration once the rollout has settled. field.Bool("public").Default(false), field.UUID("organization_id", uuid.UUID{}), field.UUID("project_id", uuid.UUID{}), diff --git a/app/controlplane/pkg/data/referrer.go b/app/controlplane/pkg/data/referrer.go index 4de7ba371..a642d3ac0 100644 --- a/app/controlplane/pkg/data/referrer.go +++ b/app/controlplane/pkg/data/referrer.go @@ -138,10 +138,6 @@ func (r *ReferrerRepo) Exist(ctx context.Context, digest string, filters ...biz. query = query.Where(referrer.Kind(*opts.RootKind)) } - if opts.Public != nil { - query = query.WithWorkflows(func(q *ent.WorkflowQuery) { q.Where(workflow.PublicEQ(*opts.Public)) }) - } - return query.Exist(ctx) } @@ -171,11 +167,6 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] workflow.DeletedAtIsNil(), workflow.HasOrganizationWith(organization.IDIn(orgIDs...)), } - // optionally attaching its visibility - if opts.Public != nil { - predicateWF = append(predicateWF, workflow.Public(*opts.Public)) - } - // Attach the workflow predicate predicateReferrer = append(predicateReferrer, referrer.HasWorkflowsWith(predicateWF...)) @@ -190,7 +181,7 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] if opts.ProjectVersion != nil { version = *opts.ProjectVersion } - projectPred = r.projectScopePredicate(*opts.ProjectName, version, orgIDs, opts.ProjectIDs, opts.Public) + projectPred = r.projectScopePredicate(*opts.ProjectName, version, orgIDs, opts.ProjectIDs) predicateReferrer = append(predicateReferrer, referrer.Or( referrer.KindNEQ(biz.ReferrerAttestationType), projectPred, @@ -215,7 +206,7 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] } // Find the referrer recursively starting from the root - res, nextCursor, err := r.doGet(ctx, refs[0], orgIDs, opts.ProjectIDs, opts.Public, projectPred, p, 0) + res, nextCursor, err := r.doGet(ctx, refs[0], orgIDs, opts.ProjectIDs, projectPred, p, 0) if err != nil && !biz.IsErrUnauthorized(err) { return nil, "", fmt.Errorf("failed to get referrer: %w", err) } @@ -230,13 +221,11 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] // semi-join via the index on workflow_run.attestation_digest, which is what makes the filter // scale at thousands of runs per project. // -// Visibility mirrors isReferrerVisible: a run is included when its workflow is either public -// (regardless of RBAC) or its project is in the caller's RBAC-visible set. visibleProjectsMap -// follows the existing convention — an org entry present means RBAC applies for that org and -// only the listed project IDs are visible; an org absent means no RBAC restriction. When -// public != nil, the run's workflow visibility is additionally constrained to that value. -// The public-workflow short-circuit is tracked for removal in chainloop-dev/chainloop#3163. -func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool) predicate.Referrer { +// Visibility mirrors isReferrerVisible: a run is included when its workflow's project is in the +// caller's RBAC-visible set. visibleProjectsMap follows the existing convention — an org entry +// present means RBAC applies for that org and only the listed project IDs are visible; an org +// absent means no RBAC restriction. +func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID) predicate.Referrer { versionPredicates := []predicate.ProjectVersion{ projectversion.DeletedAtIsNil(), projectversion.HasProjectWith( @@ -252,27 +241,16 @@ func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs workflowrun.HasVersionWith(versionPredicates...), } - // Visibility OR — same semantics as isReferrerVisible: a public workflow is visible to any - // caller in its org, otherwise the project must be in the caller's RBAC-visible set. - visibility := []predicate.WorkflowRun{ - workflowrun.HasWorkflowWith( - workflow.DeletedAtIsNil(), - workflow.Public(true), - workflow.HasOrganizationWith(organization.IDIn(orgIDs...)), - ), - } - if rbacScope := projectVisibilityPredicate(orgIDs, visibleProjectsMap); rbacScope != nil { - visibility = append(visibility, workflowrun.HasWorkflowWith( - workflow.DeletedAtIsNil(), - workflow.HasProjectWith(rbacScope), - )) - } - runPredicates = append(runPredicates, workflowrun.Or(visibility...)) - - // If the caller explicitly scopes by public/private, layer that on top. - if public != nil { - runPredicates = append(runPredicates, workflowrun.HasWorkflowWith(workflow.Public(*public))) + // Visibility — same semantics as isReferrerVisible: the run's workflow project must be in the + // caller's RBAC-visible set. If no project is visible in any allowed org, nothing matches. + rbacScope := projectVisibilityPredicate(orgIDs, visibleProjectsMap) + if rbacScope == nil { + return func(s *sql.Selector) { s.Where(sql.False()) } } + runPredicates = append(runPredicates, workflowrun.HasWorkflowWith( + workflow.DeletedAtIsNil(), + workflow.HasProjectWith(rbacScope), + )) return func(s *sql.Selector) { t := sql.Table(workflowrun.Table) @@ -286,8 +264,8 @@ func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs // projectVisibilityPredicate builds a project predicate that accepts a project iff it belongs to // one of the allowed orgs AND, when RBAC applies to that org, the project is in the caller's -// visible set. Returns nil when no org grants any project visibility, so callers can fall back -// to other visibility paths (e.g. public workflows). +// visible set. Returns nil when no org grants any project visibility, so callers can treat that +// as "nothing is visible". func projectVisibilityPredicate(orgIDs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID) predicate.Project { perOrg := make([]predicate.Project, 0, len(orgIDs)) for _, orgID := range orgIDs { @@ -315,7 +293,7 @@ func projectVisibilityPredicate(orgIDs []uuid.UUID, visibleProjectsMap map[uuid. // we also need to limit this because there might be cycles const maxTraverseLevels = 1 -func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool, projectPred predicate.Referrer, p *pagination.CursorOptions, level int) (*biz.StoredReferrer, string, error) { +func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, projectPred predicate.Referrer, p *pagination.CursorOptions, level int) (*biz.StoredReferrer, string, error) { // Assemble the referrer to return res := &biz.StoredReferrer{ ID: root.ID, @@ -357,11 +335,6 @@ func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrg workflow.DeletedAtIsNil(), workflow.HasOrganizationWith(organization.IDIn(allowedOrgs...)), } - // optionally attaching its visibility - if public != nil { - predicateWF = append(predicateWF, workflow.Public(*public)) - } - // Attach the workflow predicate predicateReferrer = append(predicateReferrer, referrer.HasWorkflowsWith(predicateWF...)) @@ -414,7 +387,7 @@ func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrg // Add the references to the result for _, reference := range refs { // Call recursively the function — pagination only applies to the first level - ref, _, err := r.doGet(ctx, reference, allowedOrgs, visibleProjectsMap, public, projectPred, nil, level+1) + ref, _, err := r.doGet(ctx, reference, allowedOrgs, visibleProjectsMap, projectPred, nil, level+1) if err != nil && !biz.IsErrUnauthorized(err) { return nil, "", fmt.Errorf("failed to get referrer: %w", err) } @@ -449,10 +422,6 @@ func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrg } func isReferrerVisible(ref *biz.StoredReferrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID) bool { - if ref.InPublicWorkflow { - return true - } - for _, oid := range ref.OrgIDs { if !slices.Contains(allowedOrgs, oid) { // skip check in organizations where the user doesn't have access @@ -477,19 +446,14 @@ func isReferrerVisible(ref *biz.StoredReferrer, allowedOrgs []uuid.UUID, visible } // hydrate the referrer with the following information: -// - isPublic: if it has a public workflow associated // - workflowIDs: the list of associated workflows // - orgIDs: the list of associated organizations func hydrateWorkflowsInfo(root *ent.Referrer, out *biz.StoredReferrer) { - isPublic := false workflowIDs := make([]uuid.UUID, 0, len(root.Edges.Workflows)) projectIDs := make(map[uuid.UUID]bool, 0) orgIDs := make([]uuid.UUID, 0) orgsMap := make(map[uuid.UUID]struct{}, 0) for _, wf := range root.Edges.Workflows { - if wf.Public { - isPublic = true - } workflowIDs = append(workflowIDs, wf.ID) if _, ok := orgsMap[wf.OrganizationID]; !ok { orgIDs = append(orgIDs, wf.OrganizationID) @@ -501,7 +465,6 @@ func hydrateWorkflowsInfo(root *ent.Referrer, out *biz.StoredReferrer) { } out.ProjectIDs = maps.Keys(projectIDs) - out.InPublicWorkflow = isPublic out.WorkflowIDs = workflowIDs out.OrgIDs = orgIDs } diff --git a/app/controlplane/pkg/data/workflow.go b/app/controlplane/pkg/data/workflow.go index 2593b98c1..31918e88d 100644 --- a/app/controlplane/pkg/data/workflow.go +++ b/app/controlplane/pkg/data/workflow.go @@ -204,7 +204,6 @@ func (r *WorkflowRepo) Create(ctx context.Context, opts *biz.WorkflowCreateOpts) SetName(opts.Name). SetProjectID(projectID). SetTeam(opts.Team). - SetPublic(opts.Public). SetName(opts.Name). SetContractID(contractUUID). SetOrganizationID(orgUUID). @@ -236,7 +235,6 @@ func (r *WorkflowRepo) Update(ctx context.Context, id uuid.UUID, opts *biz.Workf req := r.data.DB.Workflow.UpdateOneID(id). SetNillableTeam(opts.Team). - SetNillablePublic(opts.Public). SetNillableDescription(opts.Description). SetUpdatedAt(time.Now()) @@ -344,10 +342,6 @@ func applyWorkflowRunFilters(baseQuery *ent.WorkflowQuery, opts *biz.WorkflowLis // applyWorkflowFilters applies filters to the Workflow query based on the provided options func applyWorkflowFilters(wfQuery *ent.WorkflowQuery, opts *biz.WorkflowListOpts) (*ent.WorkflowQuery, error) { if opts != nil { - if opts.WorkflowPublic != nil { - wfQuery = wfQuery.Where(workflow.Public(*opts.WorkflowPublic)) - } - if opts.ProjectIDs != nil { wfQuery = wfQuery.Where(workflow.ProjectIDIn(opts.ProjectIDs...)) } @@ -503,7 +497,6 @@ func entWFToBizWF(ctx context.Context, w *ent.Workflow) (*biz.Workflow, error) { wf := &biz.Workflow{Name: w.Name, ID: w.ID, CreatedAt: toTimePtr(w.CreatedAt), Team: w.Team, RunsCounter: w.RunsCount, - Public: w.Public, Description: w.Description, OrgID: w.OrganizationID, ProjectID: w.ProjectID, diff --git a/app/controlplane/pkg/data/workflowrun.go b/app/controlplane/pkg/data/workflowrun.go index 612b14c92..6406a184f 100644 --- a/app/controlplane/pkg/data/workflowrun.go +++ b/app/controlplane/pkg/data/workflowrun.go @@ -238,7 +238,7 @@ func (r *WorkflowRunRepo) FindByIDInOrg(ctx context.Context, orgID, id uuid.UUID run, err := orgScopedQuery(r.data.DB, orgID). QueryWorkflows(). QueryWorkflowruns().Where(workflowrun.ID(id)). - WithWorkflowAndProject().WithContractVersion().WithCasBackends(). + WithWorkflowAndProject().WithVersion().WithContractVersion().WithCasBackends(). Only(ctx) if err != nil && !ent.IsNotFound(err) { return nil, err diff --git a/buf.yaml b/buf.yaml index 6ac0cff6d..babfd6d57 100644 --- a/buf.yaml +++ b/buf.yaml @@ -55,8 +55,16 @@ modules: ignore_only: # Deprecated `attestation` and `bundle` fields were removed in favor of `attestation_bundle`; # their tag numbers and names are `reserved` in the proto to prevent accidental reuse. + # The `public` workflow attribute and the public shared referrer index were removed; + # their tag numbers/names are `reserved` and the DiscoverPublicShared RPC + messages deleted. FIELD_NO_DELETE: - app/controlplane/api/controlplane/v1/workflow_run.proto + - app/controlplane/api/controlplane/v1/workflow.proto + - app/controlplane/api/controlplane/v1/referrer.proto + RPC_NO_DELETE: + - app/controlplane/api/controlplane/v1/referrer.proto + MESSAGE_NO_DELETE: + - app/controlplane/api/controlplane/v1/referrer.proto - path: app/controlplane/internal/conf lint: use: @@ -74,6 +82,13 @@ modules: except: - EXTENSION_NO_DELETE - FIELD_SAME_DEFAULT + ignore_only: + # The referrer_shared_index config field + ReferrerSharedIndex message were removed + # together with the public shared referrer index feature. + FIELD_NO_DELETE: + - app/controlplane/internal/conf/controlplane/config/v1/conf.proto + MESSAGE_NO_DELETE: + - app/controlplane/internal/conf/controlplane/config/v1/conf.proto - path: app/controlplane/pkg/conf lint: use: diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index ed5da16e7..751c0ad0b 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.409.0 +version: 1.409.1 # Do not update appVersion, this is handled automatically by the release process appVersion: v1.103.1 diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index c9e30d54d..976984545 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -570,9 +570,6 @@ Once done, you can access with [two predefined users](https://github.com/chainlo | `controlplane.enableProfiler` | Enable pprof profiling on port 6060 | `false` | | `controlplane.tls.existingSecret` | Existing secret name containing TLS certificate to be used by the controlplane grpc server. NOTE: When it's set it will disable secret creation. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | `""` | | `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | -| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | -| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | -| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | | `controlplane.federatedAuthentication` | Enable federated authentication during attestation process | | | `controlplane.federatedAuthentication.enabled` | Enable federated authentication | `false` | | `controlplane.federatedAuthentication.url` | URL of the federated authentication endpoint | `""` | diff --git a/deployment/chainloop/templates/controlplane/configmap.yaml b/deployment/chainloop/templates/controlplane/configmap.yaml index 7e7a991fa..3517d2593 100644 --- a/deployment/chainloop/templates/controlplane/configmap.yaml +++ b/deployment/chainloop/templates/controlplane/configmap.yaml @@ -52,8 +52,6 @@ data: {{- if .Values.controlplane.uiDashboardURL }} ui_dashboard_url: {{ .Values.controlplane.uiDashboardURL | quote }} {{- end }} - referrer_shared_index: - {{- toYaml .Values.controlplane.referrerSharedIndex | nindent 6 }} {{ if .Values.controlplane.onboarding }} onboarding: {{- toYaml .Values.controlplane.onboarding | nindent 6 }} diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index e0f3e152d..07f7ed4ab 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -166,13 +166,6 @@ controlplane: ## @param controlplane.pluginsDir Directory where to look for plugins pluginsDir: /plugins - ## @extra controlplane.referrerSharedIndex Configure the shared, public index API endpoint that can be used to discover metadata referrers - ## @param controlplane.referrerSharedIndex.enabled Enable index API endpoint - ## @param controlplane.referrerSharedIndex.allowedOrgs List of UUIDs of organizations that are allowed to publish to the shared index - referrerSharedIndex: - enabled: false - allowedOrgs: [] - ## @extra controlplane.federatedAuthentication Enable federated authentication during attestation process ## @param controlplane.federatedAuthentication.enabled Enable federated authentication ## @param controlplane.federatedAuthentication.url URL of the federated authentication endpoint