From 269bfec9c27c54bb6b76c741cc15f2863c3e3ae3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20Insaurralde?= Date: Fri, 10 Jul 2026 20:53:28 -0300 Subject: [PATCH] refactor: remove the public attribute from workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove the workflow "public" feature entirely. Access to workflow runs, their evidence and CAS artifacts is now organization-scoped only (honoring project RBAC); the public evidence surfaces are retired. - Stop reading and writing the workflows.public column and drop the Workflow.Public domain field. The column is deprecated in place (not dropped) so pods still running the previous image keep working during rollout; a follow-up migration will drop the column later - Replace the public-aware lookups with organization-strict ones (add GetByDigestInOrg); WorkflowRunService.View always enforces RBAC - Remove the CAS-mapping public download fallback - Retire the public shared referrer index (DiscoverPublicShared RPC, ReferrerSharedIndex config, InPublicWorkflow visibility), including its Helm chart values and control-plane config - Remove the CLI --public flags and the workflow list Public column - Delete/reserve the corresponding proto fields; WorkflowItem.public is kept as a deprecated, always-false field for wire compatibility Signed-off-by: Matías Insaurralde --- app/cli/cmd/referrer_discover.go | 12 +- app/cli/cmd/workflow_create.go | 6 +- app/cli/cmd/workflow_list.go | 10 +- app/cli/cmd/workflow_update.go | 7 +- app/cli/documentation/cli-reference.mdx | 3 - app/cli/pkg/action/referrer_discover.go | 26 -- app/cli/pkg/action/workflow_create.go | 4 +- app/cli/pkg/action/workflow_list.go | 7 +- app/cli/pkg/action/workflow_update.go | 4 +- .../api/controlplane/v1/referrer.pb.go | 222 ++----------- .../api/controlplane/v1/referrer.proto | 52 +-- .../api/controlplane/v1/referrer_grpc.pb.go | 46 +-- .../api/controlplane/v1/referrer_http.pb.go | 41 --- .../controlplane/v1/response_messages.pb.go | 14 +- .../controlplane/v1/response_messages.proto | 7 +- .../api/controlplane/v1/workflow.pb.go | 53 +-- .../api/controlplane/v1/workflow.proto | 12 +- .../api/controlplane/v1/workflow_grpc.pb.go | 2 +- .../gen/frontend/controlplane/v1/referrer.ts | 250 -------------- .../controlplane/v1/response_messages.ts | 7 +- .../gen/frontend/controlplane/v1/workflow.ts | 65 +--- ...iscoverPublicSharedRequest.jsonschema.json | 23 -- ...v1.DiscoverPublicSharedRequest.schema.json | 23 -- ...scoverPublicSharedResponse.jsonschema.json | 18 -- ...1.DiscoverPublicSharedResponse.schema.json | 18 -- ...ntrolplane.v1.ReferrerItem.jsonschema.json | 4 - .../controlplane.v1.ReferrerItem.schema.json | 4 - ...ntrolplane.v1.WorkflowItem.jsonschema.json | 2 +- .../controlplane.v1.WorkflowItem.schema.json | 2 +- ...rkflowServiceCreateRequest.jsonschema.json | 3 - ...1.WorkflowServiceCreateRequest.schema.json | 3 - ...WorkflowServiceListRequest.jsonschema.json | 8 - ....v1.WorkflowServiceListRequest.schema.json | 8 - ...rkflowServiceUpdateRequest.jsonschema.json | 3 - ...1.WorkflowServiceUpdateRequest.schema.json | 3 - app/controlplane/api/gen/openapi/openapi.yaml | 80 ----- app/controlplane/cmd/wire.go | 3 +- app/controlplane/cmd/wire_gen.go | 10 +- app/controlplane/configs/samples/config.yaml | 10 - .../conf/controlplane/config/v1/conf.go | 41 --- .../conf/controlplane/config/v1/conf.pb.go | 305 +++++++----------- .../conf/controlplane/config/v1/conf.proto | 15 +- .../conf/controlplane/config/v1/conf_test.go | 75 ----- .../internal/dispatcher/dispatcher.go | 2 +- app/controlplane/internal/server/grpc.go | 2 +- .../internal/service/attestation.go | 6 +- app/controlplane/internal/service/referrer.go | 21 -- app/controlplane/internal/service/workflow.go | 12 +- .../internal/service/workflowrun.go | 12 +- .../testdata/workflows/workflow_updated.json | 5 +- .../workflow_updated_by_api_token.json | 5 +- ...rkflow_updated_with_workflow_contract.json | 3 +- ...d_with_workflow_contract_by_api_token.json | 3 +- .../pkg/auditor/events/workflow.go | 4 +- .../pkg/auditor/events/workflow_test.go | 12 +- .../pkg/authz/authz_consistency_test.go | 1 - app/controlplane/pkg/biz/casmapping.go | 28 +- .../pkg/biz/casmapping_integration_test.go | 61 +--- app/controlplane/pkg/biz/casmapping_test.go | 1 - .../pkg/biz/mocks/CASMappingRepo.go | 68 ---- app/controlplane/pkg/biz/referrer.go | 88 +---- .../pkg/biz/referrer_integration_test.go | 139 +------- app/controlplane/pkg/biz/referrer_test.go | 39 +-- app/controlplane/pkg/biz/testhelpers/wire.go | 2 - .../pkg/biz/testhelpers/wire_gen.go | 12 +- app/controlplane/pkg/biz/workflow.go | 14 +- .../pkg/biz/workflow_integration_test.go | 26 +- app/controlplane/pkg/biz/workflowrun.go | 52 +-- .../pkg/biz/workflowrun_integration_test.go | 28 +- app/controlplane/pkg/data/casmapping.go | 86 +---- .../pkg/data/ent/schema/workflow.go | 5 +- app/controlplane/pkg/data/referrer.go | 77 ++--- app/controlplane/pkg/data/workflow.go | 7 - app/controlplane/pkg/data/workflowrun.go | 2 +- buf.yaml | 15 + deployment/chainloop/Chart.yaml | 2 +- deployment/chainloop/README.md | 3 - .../templates/controlplane/configmap.yaml | 2 - deployment/chainloop/values.yaml | 7 - 79 files changed, 336 insertions(+), 2027 deletions(-) delete mode 100644 app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json delete mode 100644 app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json delete mode 100644 app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json delete mode 100644 app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.schema.json delete mode 100644 app/controlplane/internal/conf/controlplane/config/v1/conf.go delete mode 100644 app/controlplane/internal/conf/controlplane/config/v1/conf_test.go diff --git a/app/cli/cmd/referrer_discover.go b/app/cli/cmd/referrer_discover.go index 2e55ea9a0..fbedf4378 100644 --- a/app/cli/cmd/referrer_discover.go +++ b/app/cli/cmd/referrer_discover.go @@ -26,7 +26,6 @@ import ( func newReferrerDiscoverCmd() *cobra.Command { var digest, kind string - var fromPublicIndex bool paginationOpts := &options.PaginationOpts{DefaultLimit: 20} cmd := &cobra.Command{ @@ -38,15 +37,7 @@ func newReferrerDiscoverCmd() *cobra.Command { NextCursor: paginationOpts.NextCursor, } - var res *action.ReferrerDiscoverResult - var err error - - if fromPublicIndex { - res, err = action.NewReferrerDiscoverPublicIndex(ActionOpts).Run(context.Background(), digest, kind, pagination) - } else { - res, err = action.NewReferrerDiscoverPrivate(ActionOpts).Run(context.Background(), digest, kind, pagination) - } - + res, err := action.NewReferrerDiscoverPrivate(ActionOpts).Run(context.Background(), digest, kind, pagination) if err != nil { return err } @@ -61,7 +52,6 @@ func newReferrerDiscoverCmd() *cobra.Command { cobra.CheckErr(err) cmd.Flags().StringVarP(&kind, "kind", "k", "", "optional kind of the referrer, used to disambiguate between multiple referrers with the same digest") cobra.CheckErr(err) - cmd.Flags().BoolVar(&fromPublicIndex, "public", false, "discover from public shared index instead of your organizations'") paginationOpts.AddFlags(cmd) return cmd diff --git a/app/cli/cmd/workflow_create.go b/app/cli/cmd/workflow_create.go index 03b775c0a..a7ac2b036 100644 --- a/app/cli/cmd/workflow_create.go +++ b/app/cli/cmd/workflow_create.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -27,7 +27,7 @@ import ( func newWorkflowCreateCmd() *cobra.Command { var workflowName, description, project, team, contractRef string - var public, skipIfExists bool + var skipIfExists bool cmd := &cobra.Command{ Use: "create", @@ -47,7 +47,6 @@ func newWorkflowCreateCmd() *cobra.Command { RunE: func(cmd *cobra.Command, args []string) error { opts := &action.NewWorkflowCreateOpts{ Name: workflowName, Team: team, Project: project, Description: description, - Public: public, } // Try to load it if it's a file or URL otherwise assume it's an existing contract name @@ -96,7 +95,6 @@ func newWorkflowCreateCmd() *cobra.Command { cmd.Flags().StringVar(&team, "team", "", "team name") cmd.Flags().StringVar(&contractRef, "contract", "", "the name of an existing contract or the path/URL to a contract file. If not provided an empty one will be created.") - cmd.Flags().BoolVar(&public, "public", false, "is the workflow public") cmd.Flags().BoolVarP(&skipIfExists, "skip-if-exists", "f", false, "do not fail if the workflow with the provided name already exists") cmd.Flags().SortFlags = false diff --git a/app/cli/cmd/workflow_list.go b/app/cli/cmd/workflow_list.go index b2d51d538..3ec368eee 100644 --- a/app/cli/cmd/workflow_list.go +++ b/app/cli/cmd/workflow_list.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -97,8 +97,8 @@ func WorkflowListTableOutput(workflowListResult *action.WorkflowListResult) erro return nil } - headerRow := table.Row{"Name", "Project", "Contract", "Public", "Runner", "Last Run status", "Created At"} - headerRowFull := table.Row{"Name", "Description", "Project", "Team", "Contract", "Public", "Runner", "Last Run status", "Created At"} + headerRow := table.Row{"Name", "Project", "Contract", "Runner", "Last Run status", "Created At"} + headerRowFull := table.Row{"Name", "Description", "Project", "Team", "Contract", "Runner", "Last Run status", "Created At"} t := output.NewTableWriter() if full { @@ -117,14 +117,14 @@ func WorkflowListTableOutput(workflowListResult *action.WorkflowListResult) erro if !full { row = table.Row{ - p.Name, p.Project, p.ContractName, p.Public, + p.Name, p.Project, p.ContractName, lastRunRunner, lastRunState, p.CreatedAt.Format(time.RFC822), } } else { row = table.Row{ p.Name, p.Description, p.Project, p.Team, - p.ContractName, p.Public, + p.ContractName, lastRunRunner, lastRunState, p.CreatedAt.Format(time.RFC822), } diff --git a/app/cli/cmd/workflow_update.go b/app/cli/cmd/workflow_update.go index 965f78532..44913f5b7 100644 --- a/app/cli/cmd/workflow_update.go +++ b/app/cli/cmd/workflow_update.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -25,7 +25,6 @@ import ( func newWorkflowUpdateCmd() *cobra.Command { var name, description, project, team, contractName string - var public bool cmd := &cobra.Command{ Use: "update", @@ -35,9 +34,6 @@ func newWorkflowUpdateCmd() *cobra.Command { if cmd.Flags().Changed("team") { opts.Team = &team } - if cmd.Flags().Changed("public") { - opts.Public = &public - } if cmd.Flags().Changed("description") { opts.Description = &description @@ -64,7 +60,6 @@ func newWorkflowUpdateCmd() *cobra.Command { cmd.Flags().StringVar(&description, "description", "", "workflow description") cmd.Flags().StringVar(&team, "team", "", "team name") - cmd.Flags().BoolVar(&public, "public", false, "is the workflow public") cmd.Flags().StringVar(&contractName, "contract", "", "the name of an existing contract") return cmd diff --git a/app/cli/documentation/cli-reference.mdx b/app/cli/documentation/cli-reference.mdx index 979a8263f..63e58e572 100755 --- a/app/cli/documentation/cli-reference.mdx +++ b/app/cli/documentation/cli-reference.mdx @@ -1578,7 +1578,6 @@ Options -k, --kind string optional kind of the referrer, used to disambiguate between multiple referrers with the same digest --limit int number of items to show (default 20) --next string cursor to load the next page ---public discover from public shared index instead of your organizations' ``` Options inherited from parent commands @@ -3719,7 +3718,6 @@ Options --project string project name --team string team name --contract string the name of an existing contract or the path/URL to a contract file. If not provided an empty one will be created. ---public is the workflow public -f, --skip-if-exists do not fail if the workflow with the provided name already exists -h, --help help for create ``` @@ -3910,7 +3908,6 @@ Options -h, --help help for update --name string workflow name --project string project name ---public is the workflow public --team string team name ``` diff --git a/app/cli/pkg/action/referrer_discover.go b/app/cli/pkg/action/referrer_discover.go index 410a74329..44c903be1 100644 --- a/app/cli/pkg/action/referrer_discover.go +++ b/app/cli/pkg/action/referrer_discover.go @@ -25,15 +25,11 @@ import ( type ReferrerDiscover struct { cfg *ActionsOpts } -type ReferrerDiscoverPublic struct { - cfg *ActionsOpts -} type ReferrerItem struct { Digest string `json:"digest"` Kind string `json:"kind"` Downloadable bool `json:"downloadable"` - Public bool `json:"public"` CreatedAt *time.Time `json:"createdAt"` References []*ReferrerItem `json:"references"` Metadata map[string]string `json:"metadata,omitempty"` @@ -63,27 +59,6 @@ func (action *ReferrerDiscover) Run(ctx context.Context, digest, kind string, p return newReferrerDiscoverResult(resp.Result, resp.GetPagination()), nil } -func NewReferrerDiscoverPublicIndex(cfg *ActionsOpts) *ReferrerDiscoverPublic { - return &ReferrerDiscoverPublic{cfg} -} - -// Run calls the deprecated public shared index RPC, kept for backwards compatibility. -// -//nolint:staticcheck // the RPC is deprecated but still supported -func (action *ReferrerDiscoverPublic) Run(ctx context.Context, digest, kind string, p *PaginationOpts) (*ReferrerDiscoverResult, error) { - client := pb.NewReferrerServiceClient(action.cfg.CPConnection) - resp, err := client.DiscoverPublicShared(ctx, &pb.DiscoverPublicSharedRequest{ - Digest: digest, - Kind: kind, - Pagination: paginationOptsToPb(p), - }) - if err != nil { - return nil, err - } - - return newReferrerDiscoverResult(resp.Result, resp.GetPagination()), nil -} - func paginationOptsToPb(p *PaginationOpts) *pb.CursorPaginationRequest { if p == nil { return nil @@ -109,7 +84,6 @@ func pbReferrerItemToAction(in *pb.ReferrerItem) *ReferrerItem { out := &ReferrerItem{ Digest: in.GetDigest(), Downloadable: in.GetDownloadable(), - Public: in.GetPublic(), Kind: in.GetKind(), CreatedAt: toTimePtr(in.GetCreatedAt().AsTime()), References: make([]*ReferrerItem, 0, len(in.GetReferences())), diff --git a/app/cli/pkg/action/workflow_create.go b/app/cli/pkg/action/workflow_create.go index ed3426220..32f8daee8 100644 --- a/app/cli/pkg/action/workflow_create.go +++ b/app/cli/pkg/action/workflow_create.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -31,7 +31,6 @@ func NewWorkflowCreate(cfg *ActionsOpts) *WorkflowCreate { type NewWorkflowCreateOpts struct { Name, Description, Project, Team, ContractName string - Public bool ContractBytes []byte } @@ -40,7 +39,6 @@ func (action *WorkflowCreate) Run(opts *NewWorkflowCreateOpts) (*WorkflowItem, e resp, err := client.Create(context.Background(), &pb.WorkflowServiceCreateRequest{ Name: opts.Name, ProjectName: opts.Project, Team: opts.Team, ContractName: opts.ContractName, Description: opts.Description, - Public: opts.Public, ContractBytes: opts.ContractBytes, }) if err != nil { diff --git a/app/cli/pkg/action/workflow_list.go b/app/cli/pkg/action/workflow_list.go index c235718de..47be7a866 100644 --- a/app/cli/pkg/action/workflow_list.go +++ b/app/cli/pkg/action/workflow_list.go @@ -1,5 +1,5 @@ // -// Copyright 2024 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -38,10 +38,6 @@ type WorkflowItem struct { ContractName string `json:"contractName,omitempty"` ContractRevisionLatest int32 `json:"contractRevisionLatest,omitempty"` LastRun *WorkflowRunItem `json:"lastRun,omitempty"` - // A public workflow means that any user can - // - access to all its workflow runs - // - their attestation and materials - Public bool `json:"public"` } // WorkflowListResult holds the output of the workflow list action @@ -109,7 +105,6 @@ func pbWorkflowItemToAction(wf *pb.WorkflowItem) *WorkflowItem { ContractName: wf.ContractName, ContractRevisionLatest: wf.ContractRevisionLatest, LastRun: pbWorkflowRunItemToAction(wf.LastRun), - Public: wf.Public, Description: wf.Description, } } diff --git a/app/cli/pkg/action/workflow_update.go b/app/cli/pkg/action/workflow_update.go index 9f521f49d..64564b2f6 100644 --- a/app/cli/pkg/action/workflow_update.go +++ b/app/cli/pkg/action/workflow_update.go @@ -1,5 +1,5 @@ // -// Copyright 2023 The Chainloop Authors. +// Copyright 2023-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -31,7 +31,6 @@ func NewWorkflowUpdate(cfg *ActionsOpts) *WorkflowUpdate { type WorkflowUpdateOpts struct { Description, Team, ContractName *string - Public *bool } func (action *WorkflowUpdate) Run(ctx context.Context, name, project string, opts *WorkflowUpdateOpts) (*WorkflowItem, error) { @@ -41,7 +40,6 @@ func (action *WorkflowUpdate) Run(ctx context.Context, name, project string, opt ProjectName: project, Description: opts.Description, Team: opts.Team, - Public: opts.Public, ContractName: opts.ContractName, }) diff --git a/app/controlplane/api/controlplane/v1/referrer.pb.go b/app/controlplane/api/controlplane/v1/referrer.pb.go index 4f52d7174..160ea580b 100644 --- a/app/controlplane/api/controlplane/v1/referrer.pb.go +++ b/app/controlplane/api/controlplane/v1/referrer.pb.go @@ -125,129 +125,6 @@ func (x *ReferrerServiceDiscoverPrivateRequest) GetProjectVersion() string { return "" } -// DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method -// Deprecated: the public shared index is being retired. -// -// Deprecated: Marked as deprecated in controlplane/v1/referrer.proto. -type DiscoverPublicSharedRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Digest is the unique identifier of the referrer to discover - Digest string `protobuf:"bytes,1,opt,name=digest,proto3" json:"digest,omitempty"` - // Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ... - // Used to filter and resolve ambiguities - Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` - // Pagination options for the references list - Pagination *CursorPaginationRequest `protobuf:"bytes,3,opt,name=pagination,proto3" json:"pagination,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache -} - -func (x *DiscoverPublicSharedRequest) Reset() { - *x = DiscoverPublicSharedRequest{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *DiscoverPublicSharedRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DiscoverPublicSharedRequest) ProtoMessage() {} - -func (x *DiscoverPublicSharedRequest) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[1] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DiscoverPublicSharedRequest.ProtoReflect.Descriptor instead. -func (*DiscoverPublicSharedRequest) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{1} -} - -func (x *DiscoverPublicSharedRequest) GetDigest() string { - if x != nil { - return x.Digest - } - return "" -} - -func (x *DiscoverPublicSharedRequest) GetKind() string { - if x != nil { - return x.Kind - } - return "" -} - -func (x *DiscoverPublicSharedRequest) GetPagination() *CursorPaginationRequest { - if x != nil { - return x.Pagination - } - return nil -} - -// DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method -type DiscoverPublicSharedResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - // Result is the discovered referrer item - Result *ReferrerItem `protobuf:"bytes,1,opt,name=result,proto3" json:"result,omitempty"` - // Pagination information for the references list - Pagination *CursorPaginationResponse `protobuf:"bytes,2,opt,name=pagination,proto3" json:"pagination,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache -} - -func (x *DiscoverPublicSharedResponse) Reset() { - *x = DiscoverPublicSharedResponse{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *DiscoverPublicSharedResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DiscoverPublicSharedResponse) ProtoMessage() {} - -func (x *DiscoverPublicSharedResponse) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[2] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DiscoverPublicSharedResponse.ProtoReflect.Descriptor instead. -func (*DiscoverPublicSharedResponse) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{2} -} - -func (x *DiscoverPublicSharedResponse) GetResult() *ReferrerItem { - if x != nil { - return x.Result - } - return nil -} - -func (x *DiscoverPublicSharedResponse) GetPagination() *CursorPaginationResponse { - if x != nil { - return x.Pagination - } - return nil -} - // ReferrerServiceDiscoverPrivateResponse is the response for the DiscoverPrivate method type ReferrerServiceDiscoverPrivateResponse struct { state protoimpl.MessageState `protogen:"open.v1"` @@ -261,7 +138,7 @@ type ReferrerServiceDiscoverPrivateResponse struct { func (x *ReferrerServiceDiscoverPrivateResponse) Reset() { *x = ReferrerServiceDiscoverPrivateResponse{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[3] + mi := &file_controlplane_v1_referrer_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -273,7 +150,7 @@ func (x *ReferrerServiceDiscoverPrivateResponse) String() string { func (*ReferrerServiceDiscoverPrivateResponse) ProtoMessage() {} func (x *ReferrerServiceDiscoverPrivateResponse) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[3] + mi := &file_controlplane_v1_referrer_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -286,7 +163,7 @@ func (x *ReferrerServiceDiscoverPrivateResponse) ProtoReflect() protoreflect.Mes // Deprecated: Use ReferrerServiceDiscoverPrivateResponse.ProtoReflect.Descriptor instead. func (*ReferrerServiceDiscoverPrivateResponse) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{3} + return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{1} } func (x *ReferrerServiceDiscoverPrivateResponse) GetResult() *ReferrerItem { @@ -312,8 +189,6 @@ type ReferrerItem struct { Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` // Downloadable indicates whether the referrer is downloadable or not from CAS Downloadable bool `protobuf:"varint,3,opt,name=downloadable,proto3" json:"downloadable,omitempty"` - // Public indicates whether the referrer is public since it belongs to a public workflow - Public bool `protobuf:"varint,6,opt,name=public,proto3" json:"public,omitempty"` // References contains the list of related referrer items References []*ReferrerItem `protobuf:"bytes,4,rep,name=references,proto3" json:"references,omitempty"` // CreatedAt is the timestamp when the referrer was created @@ -328,7 +203,7 @@ type ReferrerItem struct { func (x *ReferrerItem) Reset() { *x = ReferrerItem{} - mi := &file_controlplane_v1_referrer_proto_msgTypes[4] + mi := &file_controlplane_v1_referrer_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -340,7 +215,7 @@ func (x *ReferrerItem) String() string { func (*ReferrerItem) ProtoMessage() {} func (x *ReferrerItem) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_v1_referrer_proto_msgTypes[4] + mi := &file_controlplane_v1_referrer_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -353,7 +228,7 @@ func (x *ReferrerItem) ProtoReflect() protoreflect.Message { // Deprecated: Use ReferrerItem.ProtoReflect.Descriptor instead. func (*ReferrerItem) Descriptor() ([]byte, []int) { - return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{4} + return file_controlplane_v1_referrer_proto_rawDescGZIP(), []int{2} } func (x *ReferrerItem) GetDigest() string { @@ -377,13 +252,6 @@ func (x *ReferrerItem) GetDownloadable() bool { return false } -func (x *ReferrerItem) GetPublic() bool { - if x != nil { - return x.Public - } - return false -} - func (x *ReferrerItem) GetReferences() []*ReferrerItem { if x != nil { return x.References @@ -426,31 +294,17 @@ const file_controlplane_v1_referrer_proto_rawDesc = "" + "\fproject_name\x18\x04 \x01(\tR\vprojectName\x12'\n" + "\x0fproject_version\x18\x05 \x01(\tR\x0eprojectVersion:\xfb\x01\x92AQ\n" + "O*%ReferrerServiceDiscoverPrivateRequest2&Request to discover a private referrer\xbaH\xa3\x01\x1a\xa0\x01\n" + - ".discover_project_version_requires_project_name\x124project_name must be set when project_version is set\x1a8!(this.project_version != '' && this.project_name == '')\"\xf0\x01\n" + - "\x1bDiscoverPublicSharedRequest\x12\x1f\n" + - "\x06digest\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x06digest\x12\x12\n" + - "\x04kind\x18\x02 \x01(\tR\x04kind\x12H\n" + - "\n" + - "pagination\x18\x03 \x01(\v2(.controlplane.v1.CursorPaginationRequestR\n" + - "pagination:R\x92AM\n" + - "K*\x1bDiscoverPublicSharedRequest2,Request to discover a public shared referrer\x18\x01\"\xf3\x01\n" + - "\x1cDiscoverPublicSharedResponse\x125\n" + - "\x06result\x18\x01 \x01(\v2\x1d.controlplane.v1.ReferrerItemR\x06result\x12I\n" + - "\n" + - "pagination\x18\x02 \x01(\v2).controlplane.v1.CursorPaginationResponseR\n" + - "pagination:Q\x92AN\n" + - "L*\x1cDiscoverPublicSharedResponse2,Response for the DiscoverPublicShared method\"\x82\x02\n" + + ".discover_project_version_requires_project_name\x124project_name must be set when project_version is set\x1a8!(this.project_version != '' && this.project_name == '')\"\x82\x02\n" + "&ReferrerServiceDiscoverPrivateResponse\x125\n" + "\x06result\x18\x01 \x01(\v2\x1d.controlplane.v1.ReferrerItemR\x06result\x12I\n" + "\n" + "pagination\x18\x02 \x01(\v2).controlplane.v1.CursorPaginationResponseR\n" + "pagination:V\x92AS\n" + - "Q*&ReferrerServiceDiscoverPrivateResponse2'Response for the DiscoverPrivate method\"\xcc\x04\n" + + "Q*&ReferrerServiceDiscoverPrivateResponse2'Response for the DiscoverPrivate method\"\xc2\x04\n" + "\fReferrerItem\x12\x16\n" + "\x06digest\x18\x01 \x01(\tR\x06digest\x12\x12\n" + "\x04kind\x18\x02 \x01(\tR\x04kind\x12\"\n" + - "\fdownloadable\x18\x03 \x01(\bR\fdownloadable\x12\x16\n" + - "\x06public\x18\x06 \x01(\bR\x06public\x12=\n" + + "\fdownloadable\x18\x03 \x01(\bR\fdownloadable\x12=\n" + "\n" + "references\x18\x04 \x03(\v2\x1d.controlplane.v1.ReferrerItemR\n" + "references\x129\n" + @@ -464,10 +318,9 @@ const file_controlplane_v1_referrer_proto_rawDesc = "" + "\x10AnnotationsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01:B\x92A?\n" + - "=*\fReferrerItem2-It represents a referrer object in the system2\xac\x05\n" + + "=*\fReferrerItem2-It represents a referrer object in the systemJ\x04\b\x06\x10\aR\x06public2\x90\x03\n" + "\x0fReferrerService\x12\xa9\x02\n" + - "\x0fDiscoverPrivate\x126.controlplane.v1.ReferrerServiceDiscoverPrivateRequest\x1a7.controlplane.v1.ReferrerServiceDiscoverPrivateResponse\"\xa4\x01\x92A\x86\x01\x12\x19Discover private referrer\x1aWReturns the referrer item for a given digest in the organizations of the logged-in user:\x10application/json\x82\xd3\xe4\x93\x02\x14\x12\x12/discover/{digest}\x12\x99\x02\n" + - "\x14DiscoverPublicShared\x12,.controlplane.v1.DiscoverPublicSharedRequest\x1a-.controlplane.v1.DiscoverPublicSharedResponse\"\xa3\x01\x92A|\x12\x1fDiscover public shared referrer\x1aGReturns the referrer item for a given digest in the public shared index:\x10application/json\x82\xd3\xe4\x93\x02\x1b\x12\x19/discover/shared/{digest}\x88\x02\x01\x1aQ\x92AN\n" + + "\x0fDiscoverPrivate\x126.controlplane.v1.ReferrerServiceDiscoverPrivateRequest\x1a7.controlplane.v1.ReferrerServiceDiscoverPrivateResponse\"\xa4\x01\x92A\x86\x01\x12\x19Discover private referrer\x1aWReturns the referrer item for a given digest in the organizations of the logged-in user:\x10application/json\x82\xd3\xe4\x93\x02\x14\x12\x12/discover/{digest}\x1aQ\x92AN\n" + "\x0fReferrerService\x12;Referrer service for discovering referred content by digestBLZJgithub.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1;v1b\x06proto3" var ( @@ -482,39 +335,32 @@ func file_controlplane_v1_referrer_proto_rawDescGZIP() []byte { return file_controlplane_v1_referrer_proto_rawDescData } -var file_controlplane_v1_referrer_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_controlplane_v1_referrer_proto_msgTypes = make([]protoimpl.MessageInfo, 5) var file_controlplane_v1_referrer_proto_goTypes = []any{ (*ReferrerServiceDiscoverPrivateRequest)(nil), // 0: controlplane.v1.ReferrerServiceDiscoverPrivateRequest - (*DiscoverPublicSharedRequest)(nil), // 1: controlplane.v1.DiscoverPublicSharedRequest - (*DiscoverPublicSharedResponse)(nil), // 2: controlplane.v1.DiscoverPublicSharedResponse - (*ReferrerServiceDiscoverPrivateResponse)(nil), // 3: controlplane.v1.ReferrerServiceDiscoverPrivateResponse - (*ReferrerItem)(nil), // 4: controlplane.v1.ReferrerItem - nil, // 5: controlplane.v1.ReferrerItem.MetadataEntry - nil, // 6: controlplane.v1.ReferrerItem.AnnotationsEntry - (*CursorPaginationRequest)(nil), // 7: controlplane.v1.CursorPaginationRequest - (*CursorPaginationResponse)(nil), // 8: controlplane.v1.CursorPaginationResponse - (*timestamppb.Timestamp)(nil), // 9: google.protobuf.Timestamp + (*ReferrerServiceDiscoverPrivateResponse)(nil), // 1: controlplane.v1.ReferrerServiceDiscoverPrivateResponse + (*ReferrerItem)(nil), // 2: controlplane.v1.ReferrerItem + nil, // 3: controlplane.v1.ReferrerItem.MetadataEntry + nil, // 4: controlplane.v1.ReferrerItem.AnnotationsEntry + (*CursorPaginationRequest)(nil), // 5: controlplane.v1.CursorPaginationRequest + (*CursorPaginationResponse)(nil), // 6: controlplane.v1.CursorPaginationResponse + (*timestamppb.Timestamp)(nil), // 7: google.protobuf.Timestamp } var file_controlplane_v1_referrer_proto_depIdxs = []int32{ - 7, // 0: controlplane.v1.ReferrerServiceDiscoverPrivateRequest.pagination:type_name -> controlplane.v1.CursorPaginationRequest - 7, // 1: controlplane.v1.DiscoverPublicSharedRequest.pagination:type_name -> controlplane.v1.CursorPaginationRequest - 4, // 2: controlplane.v1.DiscoverPublicSharedResponse.result:type_name -> controlplane.v1.ReferrerItem - 8, // 3: controlplane.v1.DiscoverPublicSharedResponse.pagination:type_name -> controlplane.v1.CursorPaginationResponse - 4, // 4: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.result:type_name -> controlplane.v1.ReferrerItem - 8, // 5: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.pagination:type_name -> controlplane.v1.CursorPaginationResponse - 4, // 6: controlplane.v1.ReferrerItem.references:type_name -> controlplane.v1.ReferrerItem - 9, // 7: controlplane.v1.ReferrerItem.created_at:type_name -> google.protobuf.Timestamp - 5, // 8: controlplane.v1.ReferrerItem.metadata:type_name -> controlplane.v1.ReferrerItem.MetadataEntry - 6, // 9: controlplane.v1.ReferrerItem.annotations:type_name -> controlplane.v1.ReferrerItem.AnnotationsEntry - 0, // 10: controlplane.v1.ReferrerService.DiscoverPrivate:input_type -> controlplane.v1.ReferrerServiceDiscoverPrivateRequest - 1, // 11: controlplane.v1.ReferrerService.DiscoverPublicShared:input_type -> controlplane.v1.DiscoverPublicSharedRequest - 3, // 12: controlplane.v1.ReferrerService.DiscoverPrivate:output_type -> controlplane.v1.ReferrerServiceDiscoverPrivateResponse - 2, // 13: controlplane.v1.ReferrerService.DiscoverPublicShared:output_type -> controlplane.v1.DiscoverPublicSharedResponse - 12, // [12:14] is the sub-list for method output_type - 10, // [10:12] is the sub-list for method input_type - 10, // [10:10] is the sub-list for extension type_name - 10, // [10:10] is the sub-list for extension extendee - 0, // [0:10] is the sub-list for field type_name + 5, // 0: controlplane.v1.ReferrerServiceDiscoverPrivateRequest.pagination:type_name -> controlplane.v1.CursorPaginationRequest + 2, // 1: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.result:type_name -> controlplane.v1.ReferrerItem + 6, // 2: controlplane.v1.ReferrerServiceDiscoverPrivateResponse.pagination:type_name -> controlplane.v1.CursorPaginationResponse + 2, // 3: controlplane.v1.ReferrerItem.references:type_name -> controlplane.v1.ReferrerItem + 7, // 4: controlplane.v1.ReferrerItem.created_at:type_name -> google.protobuf.Timestamp + 3, // 5: controlplane.v1.ReferrerItem.metadata:type_name -> controlplane.v1.ReferrerItem.MetadataEntry + 4, // 6: controlplane.v1.ReferrerItem.annotations:type_name -> controlplane.v1.ReferrerItem.AnnotationsEntry + 0, // 7: controlplane.v1.ReferrerService.DiscoverPrivate:input_type -> controlplane.v1.ReferrerServiceDiscoverPrivateRequest + 1, // 8: controlplane.v1.ReferrerService.DiscoverPrivate:output_type -> controlplane.v1.ReferrerServiceDiscoverPrivateResponse + 8, // [8:9] is the sub-list for method output_type + 7, // [7:8] is the sub-list for method input_type + 7, // [7:7] is the sub-list for extension type_name + 7, // [7:7] is the sub-list for extension extendee + 0, // [0:7] is the sub-list for field type_name } func init() { file_controlplane_v1_referrer_proto_init() } @@ -529,7 +375,7 @@ func file_controlplane_v1_referrer_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_controlplane_v1_referrer_proto_rawDesc), len(file_controlplane_v1_referrer_proto_rawDesc)), NumEnums: 0, - NumMessages: 7, + NumMessages: 5, NumExtensions: 0, NumServices: 1, }, diff --git a/app/controlplane/api/controlplane/v1/referrer.proto b/app/controlplane/api/controlplane/v1/referrer.proto index aeb6ba0b3..ce5be09f9 100644 --- a/app/controlplane/api/controlplane/v1/referrer.proto +++ b/app/controlplane/api/controlplane/v1/referrer.proto @@ -35,18 +35,6 @@ service ReferrerService { produces: ["application/json"] }; } - // DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - rpc DiscoverPublicShared(DiscoverPublicSharedRequest) returns (DiscoverPublicSharedResponse) { - option deprecated = true; - option (google.api.http) = {get: "/discover/shared/{digest}"}; - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { - summary: "Discover public shared referrer" - description: "Returns the referrer item for a given digest in the public shared index" - produces: ["application/json"] - }; - } - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_tag) = { name: "ReferrerService" description: "Referrer service for discovering referred content by digest" @@ -85,42 +73,6 @@ message ReferrerServiceDiscoverPrivateRequest { }; } -// DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method -// Deprecated: the public shared index is being retired. -message DiscoverPublicSharedRequest { - option deprecated = true; - - // Digest is the unique identifier of the referrer to discover - string digest = 1 [(buf.validate.field).string = {min_len: 1}]; - // Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ... - // Used to filter and resolve ambiguities - string kind = 2; - // Pagination options for the references list - CursorPaginationRequest pagination = 3; - - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { - json_schema: { - title: "DiscoverPublicSharedRequest" - description: "Request to discover a public shared referrer" - } - }; -} - -// DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method -message DiscoverPublicSharedResponse { - // Result is the discovered referrer item - ReferrerItem result = 1; - // Pagination information for the references list - CursorPaginationResponse pagination = 2; - - option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { - json_schema: { - title: "DiscoverPublicSharedResponse" - description: "Response for the DiscoverPublicShared method" - } - }; -} - // ReferrerServiceDiscoverPrivateResponse is the response for the DiscoverPrivate method message ReferrerServiceDiscoverPrivateResponse { // Result is the discovered referrer item @@ -144,8 +96,8 @@ message ReferrerItem { string kind = 2; // Downloadable indicates whether the referrer is downloadable or not from CAS bool downloadable = 3; - // Public indicates whether the referrer is public since it belongs to a public workflow - bool public = 6; + reserved 6; + reserved "public"; // References contains the list of related referrer items repeated ReferrerItem references = 4; // CreatedAt is the timestamp when the referrer was created diff --git a/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go b/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go index 3f2303ee9..62856be96 100644 --- a/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go +++ b/app/controlplane/api/controlplane/v1/referrer_grpc.pb.go @@ -34,8 +34,7 @@ import ( const _ = grpc.SupportPackageIsVersion7 const ( - ReferrerService_DiscoverPrivate_FullMethodName = "/controlplane.v1.ReferrerService/DiscoverPrivate" - ReferrerService_DiscoverPublicShared_FullMethodName = "/controlplane.v1.ReferrerService/DiscoverPublicShared" + ReferrerService_DiscoverPrivate_FullMethodName = "/controlplane.v1.ReferrerService/DiscoverPrivate" ) // ReferrerServiceClient is the client API for ReferrerService service. @@ -44,10 +43,6 @@ const ( type ReferrerServiceClient interface { // DiscoverPrivate returns the referrer item for a given digest in the organizations of the logged-in user DiscoverPrivate(ctx context.Context, in *ReferrerServiceDiscoverPrivateRequest, opts ...grpc.CallOption) (*ReferrerServiceDiscoverPrivateResponse, error) - // Deprecated: Do not use. - // DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - DiscoverPublicShared(ctx context.Context, in *DiscoverPublicSharedRequest, opts ...grpc.CallOption) (*DiscoverPublicSharedResponse, error) } type referrerServiceClient struct { @@ -67,26 +62,12 @@ func (c *referrerServiceClient) DiscoverPrivate(ctx context.Context, in *Referre return out, nil } -// Deprecated: Do not use. -func (c *referrerServiceClient) DiscoverPublicShared(ctx context.Context, in *DiscoverPublicSharedRequest, opts ...grpc.CallOption) (*DiscoverPublicSharedResponse, error) { - out := new(DiscoverPublicSharedResponse) - err := c.cc.Invoke(ctx, ReferrerService_DiscoverPublicShared_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - // ReferrerServiceServer is the server API for ReferrerService service. // All implementations must embed UnimplementedReferrerServiceServer // for forward compatibility type ReferrerServiceServer interface { // DiscoverPrivate returns the referrer item for a given digest in the organizations of the logged-in user DiscoverPrivate(context.Context, *ReferrerServiceDiscoverPrivateRequest) (*ReferrerServiceDiscoverPrivateResponse, error) - // Deprecated: Do not use. - // DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - DiscoverPublicShared(context.Context, *DiscoverPublicSharedRequest) (*DiscoverPublicSharedResponse, error) mustEmbedUnimplementedReferrerServiceServer() } @@ -97,9 +78,6 @@ type UnimplementedReferrerServiceServer struct { func (UnimplementedReferrerServiceServer) DiscoverPrivate(context.Context, *ReferrerServiceDiscoverPrivateRequest) (*ReferrerServiceDiscoverPrivateResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method DiscoverPrivate not implemented") } -func (UnimplementedReferrerServiceServer) DiscoverPublicShared(context.Context, *DiscoverPublicSharedRequest) (*DiscoverPublicSharedResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DiscoverPublicShared not implemented") -} func (UnimplementedReferrerServiceServer) mustEmbedUnimplementedReferrerServiceServer() {} // UnsafeReferrerServiceServer may be embedded to opt out of forward compatibility for this service. @@ -131,24 +109,6 @@ func _ReferrerService_DiscoverPrivate_Handler(srv interface{}, ctx context.Conte return interceptor(ctx, in, info, handler) } -func _ReferrerService_DiscoverPublicShared_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(DiscoverPublicSharedRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(ReferrerServiceServer).DiscoverPublicShared(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: ReferrerService_DiscoverPublicShared_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(ReferrerServiceServer).DiscoverPublicShared(ctx, req.(*DiscoverPublicSharedRequest)) - } - return interceptor(ctx, in, info, handler) -} - // ReferrerService_ServiceDesc is the grpc.ServiceDesc for ReferrerService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -160,10 +120,6 @@ var ReferrerService_ServiceDesc = grpc.ServiceDesc{ MethodName: "DiscoverPrivate", Handler: _ReferrerService_DiscoverPrivate_Handler, }, - { - MethodName: "DiscoverPublicShared", - Handler: _ReferrerService_DiscoverPublicShared_Handler, - }, }, Streams: []grpc.StreamDesc{}, Metadata: "controlplane/v1/referrer.proto", diff --git a/app/controlplane/api/controlplane/v1/referrer_http.pb.go b/app/controlplane/api/controlplane/v1/referrer_http.pb.go index 14d169f4c..24f71246a 100644 --- a/app/controlplane/api/controlplane/v1/referrer_http.pb.go +++ b/app/controlplane/api/controlplane/v1/referrer_http.pb.go @@ -20,20 +20,15 @@ var _ = binding.EncodeURL const _ = http.SupportPackageIsVersion1 const OperationReferrerServiceDiscoverPrivate = "/controlplane.v1.ReferrerService/DiscoverPrivate" -const OperationReferrerServiceDiscoverPublicShared = "/controlplane.v1.ReferrerService/DiscoverPublicShared" type ReferrerServiceHTTPServer interface { // DiscoverPrivate DiscoverPrivate returns the referrer item for a given digest in the organizations of the logged-in user DiscoverPrivate(context.Context, *ReferrerServiceDiscoverPrivateRequest) (*ReferrerServiceDiscoverPrivateResponse, error) - // DiscoverPublicShared DiscoverPublicShared returns the referrer item for a given digest in the public shared index - // Deprecated: the public shared index is being retired. - DiscoverPublicShared(context.Context, *DiscoverPublicSharedRequest) (*DiscoverPublicSharedResponse, error) } func RegisterReferrerServiceHTTPServer(s *http.Server, srv ReferrerServiceHTTPServer) { r := s.Route("/") r.GET("/discover/{digest}", _ReferrerService_DiscoverPrivate0_HTTP_Handler(srv)) - r.GET("/discover/shared/{digest}", _ReferrerService_DiscoverPublicShared0_HTTP_Handler(srv)) } func _ReferrerService_DiscoverPrivate0_HTTP_Handler(srv ReferrerServiceHTTPServer) func(ctx http.Context) error { @@ -58,31 +53,8 @@ func _ReferrerService_DiscoverPrivate0_HTTP_Handler(srv ReferrerServiceHTTPServe } } -func _ReferrerService_DiscoverPublicShared0_HTTP_Handler(srv ReferrerServiceHTTPServer) func(ctx http.Context) error { - return func(ctx http.Context) error { - var in DiscoverPublicSharedRequest - if err := ctx.BindQuery(&in); err != nil { - return err - } - if err := ctx.BindVars(&in); err != nil { - return err - } - http.SetOperation(ctx, OperationReferrerServiceDiscoverPublicShared) - h := ctx.Middleware(func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.DiscoverPublicShared(ctx, req.(*DiscoverPublicSharedRequest)) - }) - out, err := h(ctx, &in) - if err != nil { - return err - } - reply := out.(*DiscoverPublicSharedResponse) - return ctx.Result(200, reply) - } -} - type ReferrerServiceHTTPClient interface { DiscoverPrivate(ctx context.Context, req *ReferrerServiceDiscoverPrivateRequest, opts ...http.CallOption) (rsp *ReferrerServiceDiscoverPrivateResponse, err error) - DiscoverPublicShared(ctx context.Context, req *DiscoverPublicSharedRequest, opts ...http.CallOption) (rsp *DiscoverPublicSharedResponse, err error) } type ReferrerServiceHTTPClientImpl struct { @@ -105,16 +77,3 @@ func (c *ReferrerServiceHTTPClientImpl) DiscoverPrivate(ctx context.Context, in } return &out, err } - -func (c *ReferrerServiceHTTPClientImpl) DiscoverPublicShared(ctx context.Context, in *DiscoverPublicSharedRequest, opts ...http.CallOption) (*DiscoverPublicSharedResponse, error) { - var out DiscoverPublicSharedResponse - pattern := "/discover/shared/{digest}" - path := binding.EncodeURL(pattern, in, true) - opts = append(opts, http.Operation(OperationReferrerServiceDiscoverPublicShared)) - opts = append(opts, http.PathTemplate(pattern)) - err := c.cc.Invoke(ctx, "GET", path, nil, &out, opts...) - if err != nil { - return nil, err - } - return &out, err -} diff --git a/app/controlplane/api/controlplane/v1/response_messages.pb.go b/app/controlplane/api/controlplane/v1/response_messages.pb.go index 98354281b..1f996e42f 100644 --- a/app/controlplane/api/controlplane/v1/response_messages.pb.go +++ b/app/controlplane/api/controlplane/v1/response_messages.pb.go @@ -742,9 +742,10 @@ type WorkflowItem struct { ContractName string `protobuf:"bytes,8,opt,name=contract_name,json=contractName,proto3" json:"contract_name,omitempty"` // Current, latest revision of the contract ContractRevisionLatest int32 `protobuf:"varint,11,opt,name=contract_revision_latest,json=contractRevisionLatest,proto3" json:"contract_revision_latest,omitempty"` - // A public workflow means that any user can - // - access to all its workflow runs - // - their attestation and materials + // Deprecated: public workflows were removed. This field is always false and + // is retained only for wire compatibility; it will be removed in a future release. + // + // Deprecated: Marked as deprecated in controlplane/v1/response_messages.proto. Public bool `protobuf:"varint,9,opt,name=public,proto3" json:"public,omitempty"` Description string `protobuf:"bytes,10,opt,name=description,proto3" json:"description,omitempty"` unknownFields protoimpl.UnknownFields @@ -851,6 +852,7 @@ func (x *WorkflowItem) GetContractRevisionLatest() int32 { return 0 } +// Deprecated: Marked as deprecated in controlplane/v1/response_messages.proto. func (x *WorkflowItem) GetPublic() bool { if x != nil { return x.Public @@ -3101,7 +3103,7 @@ var File_controlplane_v1_response_messages_proto protoreflect.FileDescriptor const file_controlplane_v1_response_messages_proto_rawDesc = "" + "\n" + - "'controlplane/v1/response_messages.proto\x12\x0fcontrolplane.v1\x1a#attestation/v1/crafting_state.proto\x1a\x1bbuf/validate/validate.proto\x1a\x13errors/errors.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\xb9\x03\n" + + "'controlplane/v1/response_messages.proto\x12\x0fcontrolplane.v1\x1a#attestation/v1/crafting_state.proto\x1a\x1bbuf/validate/validate.proto\x1a\x13errors/errors.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\xbd\x03\n" + "\fWorkflowItem\x12\x0e\n" + "\x02id\x18\x01 \x01(\tR\x02id\x12\x12\n" + "\x04name\x18\x02 \x01(\tR\x04name\x12\x18\n" + @@ -3115,8 +3117,8 @@ const file_controlplane_v1_response_messages_proto_rawDesc = "" + "runs_count\x18\x06 \x01(\x05R\trunsCount\x12;\n" + "\blast_run\x18\a \x01(\v2 .controlplane.v1.WorkflowRunItemR\alastRun\x12#\n" + "\rcontract_name\x18\b \x01(\tR\fcontractName\x128\n" + - "\x18contract_revision_latest\x18\v \x01(\x05R\x16contractRevisionLatest\x12\x16\n" + - "\x06public\x18\t \x01(\bR\x06public\x12 \n" + + "\x18contract_revision_latest\x18\v \x01(\x05R\x16contractRevisionLatest\x12\x1a\n" + + "\x06public\x18\t \x01(\bB\x02\x18\x01R\x06public\x12 \n" + "\vdescription\x18\n" + " \x01(\tR\vdescription\"\xd3\x06\n" + "\x0fWorkflowRunItem\x12\x0e\n" + diff --git a/app/controlplane/api/controlplane/v1/response_messages.proto b/app/controlplane/api/controlplane/v1/response_messages.proto index e7d79f43d..10d275536 100644 --- a/app/controlplane/api/controlplane/v1/response_messages.proto +++ b/app/controlplane/api/controlplane/v1/response_messages.proto @@ -38,10 +38,9 @@ message WorkflowItem { string contract_name = 8; // Current, latest revision of the contract int32 contract_revision_latest = 11; - // A public workflow means that any user can - // - access to all its workflow runs - // - their attestation and materials - bool public = 9; + // Deprecated: public workflows were removed. This field is always false and + // is retained only for wire compatibility; it will be removed in a future release. + bool public = 9 [deprecated = true]; string description = 10; } diff --git a/app/controlplane/api/controlplane/v1/workflow.pb.go b/app/controlplane/api/controlplane/v1/workflow.pb.go index 093f4a463..fb7c605c9 100644 --- a/app/controlplane/api/controlplane/v1/workflow.pb.go +++ b/app/controlplane/api/controlplane/v1/workflow.pb.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -102,7 +102,6 @@ type WorkflowServiceCreateRequest struct { ContractBytes []byte `protobuf:"bytes,4,opt,name=contract_bytes,json=contractBytes,proto3" json:"contract_bytes,omitempty"` Team string `protobuf:"bytes,5,opt,name=team,proto3" json:"team,omitempty"` Description string `protobuf:"bytes,6,opt,name=description,proto3" json:"description,omitempty"` - Public bool `protobuf:"varint,7,opt,name=public,proto3" json:"public,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -179,13 +178,6 @@ func (x *WorkflowServiceCreateRequest) GetDescription() string { return "" } -func (x *WorkflowServiceCreateRequest) GetPublic() bool { - if x != nil { - return x.Public - } - return false -} - type WorkflowServiceUpdateRequest struct { state protoimpl.MessageState `protogen:"open.v1"` Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` @@ -193,7 +185,6 @@ type WorkflowServiceUpdateRequest struct { // and not just the default value ProjectName string `protobuf:"bytes,3,opt,name=project_name,json=projectName,proto3" json:"project_name,omitempty"` Team *string `protobuf:"bytes,4,opt,name=team,proto3,oneof" json:"team,omitempty"` - Public *bool `protobuf:"varint,5,opt,name=public,proto3,oneof" json:"public,omitempty"` Description *string `protobuf:"bytes,6,opt,name=description,proto3,oneof" json:"description,omitempty"` ContractName *string `protobuf:"bytes,7,opt,name=contract_name,json=contractName,proto3,oneof" json:"contract_name,omitempty"` unknownFields protoimpl.UnknownFields @@ -251,13 +242,6 @@ func (x *WorkflowServiceUpdateRequest) GetTeam() string { return "" } -func (x *WorkflowServiceUpdateRequest) GetPublic() bool { - if x != nil && x.Public != nil { - return *x.Public - } - return false -} - func (x *WorkflowServiceUpdateRequest) GetDescription() string { if x != nil && x.Description != nil { return *x.Description @@ -458,8 +442,6 @@ type WorkflowServiceListRequest struct { ProjectNames []string `protobuf:"bytes,3,rep,name=project_names,json=projectNames,proto3" json:"project_names,omitempty"` // The description of the workflow WorkflowDescription string `protobuf:"bytes,4,opt,name=workflow_description,json=workflowDescription,proto3" json:"workflow_description,omitempty"` - // If the workflow is public - WorkflowPublic *bool `protobuf:"varint,5,opt,name=workflow_public,json=workflowPublic,proto3,oneof" json:"workflow_public,omitempty"` // The type of runner that ran the workflow WorkflowRunRunnerType v1.CraftingSchema_Runner_RunnerType `protobuf:"varint,6,opt,name=workflow_run_runner_type,json=workflowRunRunnerType,proto3,enum=workflowcontract.v1.CraftingSchema_Runner_RunnerType" json:"workflow_run_runner_type,omitempty"` // The status of the last workflow run @@ -532,13 +514,6 @@ func (x *WorkflowServiceListRequest) GetWorkflowDescription() string { return "" } -func (x *WorkflowServiceListRequest) GetWorkflowPublic() bool { - if x != nil && x.WorkflowPublic != nil { - return *x.WorkflowPublic - } - return false -} - func (x *WorkflowServiceListRequest) GetWorkflowRunRunnerType() v1.CraftingSchema_Runner_RunnerType { if x != nil { return x.WorkflowRunRunnerType @@ -726,7 +701,7 @@ var File_controlplane_v1_workflow_proto protoreflect.FileDescriptor const file_controlplane_v1_workflow_proto_rawDesc = "" + "\n" + - "\x1econtrolplane/v1/workflow.proto\x12\x0fcontrolplane.v1\x1a\x1bbuf/validate/validate.proto\x1a controlplane/v1/pagination.proto\x1a'controlplane/v1/response_messages.proto\x1a\x1ejsonfilter/v1/jsonfilter.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\x88\x04\n" + + "\x1econtrolplane/v1/workflow.proto\x12\x0fcontrolplane.v1\x1a\x1bbuf/validate/validate.proto\x1a controlplane/v1/pagination.proto\x1a'controlplane/v1/response_messages.proto\x1a\x1ejsonfilter/v1/jsonfilter.proto\x1a)workflowcontract/v1/crafting_schema.proto\"\xfe\x03\n" + "\x1cWorkflowServiceCreateRequest\x12\x97\x01\n" + "\x04name\x18\x01 \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12*\n" + @@ -735,21 +710,18 @@ const file_controlplane_v1_workflow_proto_rawDesc = "" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')\xd8\x01\x01R\fcontractName\x12%\n" + "\x0econtract_bytes\x18\x04 \x01(\fR\rcontractBytes\x12\x12\n" + "\x04team\x18\x05 \x01(\tR\x04team\x12 \n" + - "\vdescription\x18\x06 \x01(\tR\vdescription\x12\x16\n" + - "\x06public\x18\a \x01(\bR\x06public\"\xa7\x04\n" + + "\vdescription\x18\x06 \x01(\tR\vdescriptionJ\x04\b\a\x10\bR\x06public\"\x8d\x04\n" + "\x1cWorkflowServiceUpdateRequest\x12\x97\x01\n" + "\x04name\x18\x01 \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12*\n" + "\fproject_name\x18\x03 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\vprojectName\x12\x17\n" + - "\x04team\x18\x04 \x01(\tH\x00R\x04team\x88\x01\x01\x12\x1b\n" + - "\x06public\x18\x05 \x01(\bH\x01R\x06public\x88\x01\x01\x12%\n" + - "\vdescription\x18\x06 \x01(\tH\x02R\vdescription\x88\x01\x01\x12\xad\x01\n" + + "\x04team\x18\x04 \x01(\tH\x00R\x04team\x88\x01\x01\x12%\n" + + "\vdescription\x18\x06 \x01(\tH\x01R\vdescription\x88\x01\x01\x12\xad\x01\n" + "\rcontract_name\x18\a \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + - "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')H\x03R\fcontractName\x88\x01\x01B\a\n" + - "\x05_teamB\t\n" + - "\a_publicB\x0e\n" + + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')H\x02R\fcontractName\x88\x01\x01B\a\n" + + "\x05_teamB\x0e\n" + "\f_descriptionB\x10\n" + - "\x0e_contract_name\"V\n" + + "\x0e_contract_nameJ\x04\b\x05\x10\x06R\x06public\"V\n" + "\x1dWorkflowServiceUpdateResponse\x125\n" + "\x06result\x18\x01 \x01(\v2\x1d.controlplane.v1.WorkflowItemR\x06result\"V\n" + "\x1dWorkflowServiceCreateResponse\x125\n" + @@ -758,13 +730,12 @@ const file_controlplane_v1_workflow_proto_rawDesc = "" + "\x04name\x18\x01 \x01(\tB\x82\x01\xbaH\x7f\xba\x01|\n" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12*\n" + "\fproject_name\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\vprojectName\"\x1f\n" + - "\x1dWorkflowServiceDeleteResponse\"\xd3\x05\n" + + "\x1dWorkflowServiceDeleteResponse\"\xa8\x05\n" + "\x1aWorkflowServiceListRequest\x12#\n" + "\rworkflow_name\x18\x01 \x01(\tR\fworkflowName\x12#\n" + "\rworkflow_team\x18\x02 \x01(\tR\fworkflowTeam\x12#\n" + "\rproject_names\x18\x03 \x03(\tR\fprojectNames\x121\n" + - "\x14workflow_description\x18\x04 \x01(\tR\x13workflowDescription\x12,\n" + - "\x0fworkflow_public\x18\x05 \x01(\bH\x00R\x0eworkflowPublic\x88\x01\x01\x12n\n" + + "\x14workflow_description\x18\x04 \x01(\tR\x13workflowDescription\x12n\n" + "\x18workflow_run_runner_type\x18\x06 \x01(\x0e25.workflowcontract.v1.CraftingSchema.Runner.RunnerTypeR\x15workflowRunRunnerType\x12`\n" + "\x18workflow_run_last_status\x18\a \x01(\x0e2\x1a.controlplane.v1.RunStatusB\v\xbaH\b\xd8\x01\x01\x82\x01\x02 \x00R\x15workflowRunLastStatus\x12w\n" + "\x1dworkflow_last_activity_window\x18\b \x01(\x0e2'.controlplane.v1.WorkflowActivityWindowB\v\xbaH\b\xd8\x01\x01\x82\x01\x02 \x00R\x1aworkflowLastActivityWindow\x12H\n" + @@ -772,8 +743,7 @@ const file_controlplane_v1_workflow_proto_rawDesc = "" + "pagination\x18\t \x01(\v2(.controlplane.v1.OffsetPaginationRequestR\n" + "pagination\x12<\n" + "\fjson_filters\x18\n" + - " \x03(\v2\x19.jsonfilter.v1.JSONFilterR\vjsonFiltersB\x12\n" + - "\x10_workflow_public\"\x9f\x01\n" + + " \x03(\v2\x19.jsonfilter.v1.JSONFilterR\vjsonFiltersJ\x04\b\x05\x10\x06R\x0fworkflow_public\"\x9f\x01\n" + "\x1bWorkflowServiceListResponse\x125\n" + "\x06result\x18\x01 \x03(\v2\x1d.controlplane.v1.WorkflowItemR\x06result\x12I\n" + "\n" + @@ -866,7 +836,6 @@ func file_controlplane_v1_workflow_proto_init() { file_controlplane_v1_pagination_proto_init() file_controlplane_v1_response_messages_proto_init() file_controlplane_v1_workflow_proto_msgTypes[1].OneofWrappers = []any{} - file_controlplane_v1_workflow_proto_msgTypes[6].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ diff --git a/app/controlplane/api/controlplane/v1/workflow.proto b/app/controlplane/api/controlplane/v1/workflow.proto index ee15c87a2..3fd94eace 100644 --- a/app/controlplane/api/controlplane/v1/workflow.proto +++ b/app/controlplane/api/controlplane/v1/workflow.proto @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -58,7 +58,8 @@ message WorkflowServiceCreateRequest { string team = 5; string description = 6; - bool public = 7; + reserved 7; + reserved "public"; } message WorkflowServiceUpdateRequest { @@ -74,7 +75,8 @@ message WorkflowServiceUpdateRequest { // and not just the default value string project_name = 3 [(buf.validate.field).string = {min_len: 1}]; optional string team = 4; - optional bool public = 5; + reserved 5; + reserved "public"; optional string description = 6; optional string contract_name = 7 [(buf.validate.field) = { cel: { @@ -117,8 +119,8 @@ message WorkflowServiceListRequest { repeated string project_names = 3; // The description of the workflow string workflow_description = 4; - // If the workflow is public - optional bool workflow_public = 5; + reserved 5; + reserved "workflow_public"; // The type of runner that ran the workflow workflowcontract.v1.CraftingSchema.Runner.RunnerType workflow_run_runner_type = 6; // The status of the last workflow run diff --git a/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go b/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go index 02110b47e..0db490825 100644 --- a/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go +++ b/app/controlplane/api/controlplane/v1/workflow_grpc.pb.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts b/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts index 7d3dc8408..270c7e357 100644 --- a/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts +++ b/app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts @@ -30,32 +30,6 @@ export interface ReferrerServiceDiscoverPrivateRequest { projectVersion: string; } -/** - * DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method - * Deprecated: the public shared index is being retired. - * - * @deprecated - */ -export interface DiscoverPublicSharedRequest { - /** Digest is the unique identifier of the referrer to discover */ - digest: string; - /** - * Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ... - * Used to filter and resolve ambiguities - */ - kind: string; - /** Pagination options for the references list */ - pagination?: CursorPaginationRequest; -} - -/** DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method */ -export interface DiscoverPublicSharedResponse { - /** Result is the discovered referrer item */ - result?: ReferrerItem; - /** Pagination information for the references list */ - pagination?: CursorPaginationResponse; -} - /** ReferrerServiceDiscoverPrivateResponse is the response for the DiscoverPrivate method */ export interface ReferrerServiceDiscoverPrivateResponse { /** Result is the discovered referrer item */ @@ -72,8 +46,6 @@ export interface ReferrerItem { kind: string; /** Downloadable indicates whether the referrer is downloadable or not from CAS */ downloadable: boolean; - /** Public indicates whether the referrer is public since it belongs to a public workflow */ - public: boolean; /** References contains the list of related referrer items */ references: ReferrerItem[]; /** CreatedAt is the timestamp when the referrer was created */ @@ -211,169 +183,6 @@ export const ReferrerServiceDiscoverPrivateRequest = { }, }; -function createBaseDiscoverPublicSharedRequest(): DiscoverPublicSharedRequest { - return { digest: "", kind: "", pagination: undefined }; -} - -export const DiscoverPublicSharedRequest = { - encode(message: DiscoverPublicSharedRequest, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer { - if (message.digest !== "") { - writer.uint32(10).string(message.digest); - } - if (message.kind !== "") { - writer.uint32(18).string(message.kind); - } - if (message.pagination !== undefined) { - CursorPaginationRequest.encode(message.pagination, writer.uint32(26).fork()).ldelim(); - } - return writer; - }, - - decode(input: _m0.Reader | Uint8Array, length?: number): DiscoverPublicSharedRequest { - const reader = input instanceof _m0.Reader ? input : _m0.Reader.create(input); - let end = length === undefined ? reader.len : reader.pos + length; - const message = createBaseDiscoverPublicSharedRequest(); - while (reader.pos < end) { - const tag = reader.uint32(); - switch (tag >>> 3) { - case 1: - if (tag !== 10) { - break; - } - - message.digest = reader.string(); - continue; - case 2: - if (tag !== 18) { - break; - } - - message.kind = reader.string(); - continue; - case 3: - if (tag !== 26) { - break; - } - - message.pagination = CursorPaginationRequest.decode(reader, reader.uint32()); - continue; - } - if ((tag & 7) === 4 || tag === 0) { - break; - } - reader.skipType(tag & 7); - } - return message; - }, - - fromJSON(object: any): DiscoverPublicSharedRequest { - return { - digest: isSet(object.digest) ? String(object.digest) : "", - kind: isSet(object.kind) ? String(object.kind) : "", - pagination: isSet(object.pagination) ? CursorPaginationRequest.fromJSON(object.pagination) : undefined, - }; - }, - - toJSON(message: DiscoverPublicSharedRequest): unknown { - const obj: any = {}; - message.digest !== undefined && (obj.digest = message.digest); - message.kind !== undefined && (obj.kind = message.kind); - message.pagination !== undefined && - (obj.pagination = message.pagination ? CursorPaginationRequest.toJSON(message.pagination) : undefined); - return obj; - }, - - create, I>>(base?: I): DiscoverPublicSharedRequest { - return DiscoverPublicSharedRequest.fromPartial(base ?? {}); - }, - - fromPartial, I>>(object: I): DiscoverPublicSharedRequest { - const message = createBaseDiscoverPublicSharedRequest(); - message.digest = object.digest ?? ""; - message.kind = object.kind ?? ""; - message.pagination = (object.pagination !== undefined && object.pagination !== null) - ? CursorPaginationRequest.fromPartial(object.pagination) - : undefined; - return message; - }, -}; - -function createBaseDiscoverPublicSharedResponse(): DiscoverPublicSharedResponse { - return { result: undefined, pagination: undefined }; -} - -export const DiscoverPublicSharedResponse = { - encode(message: DiscoverPublicSharedResponse, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer { - if (message.result !== undefined) { - ReferrerItem.encode(message.result, writer.uint32(10).fork()).ldelim(); - } - if (message.pagination !== undefined) { - CursorPaginationResponse.encode(message.pagination, writer.uint32(18).fork()).ldelim(); - } - return writer; - }, - - decode(input: _m0.Reader | Uint8Array, length?: number): DiscoverPublicSharedResponse { - const reader = input instanceof _m0.Reader ? input : _m0.Reader.create(input); - let end = length === undefined ? reader.len : reader.pos + length; - const message = createBaseDiscoverPublicSharedResponse(); - while (reader.pos < end) { - const tag = reader.uint32(); - switch (tag >>> 3) { - case 1: - if (tag !== 10) { - break; - } - - message.result = ReferrerItem.decode(reader, reader.uint32()); - continue; - case 2: - if (tag !== 18) { - break; - } - - message.pagination = CursorPaginationResponse.decode(reader, reader.uint32()); - continue; - } - if ((tag & 7) === 4 || tag === 0) { - break; - } - reader.skipType(tag & 7); - } - return message; - }, - - fromJSON(object: any): DiscoverPublicSharedResponse { - return { - result: isSet(object.result) ? ReferrerItem.fromJSON(object.result) : undefined, - pagination: isSet(object.pagination) ? CursorPaginationResponse.fromJSON(object.pagination) : undefined, - }; - }, - - toJSON(message: DiscoverPublicSharedResponse): unknown { - const obj: any = {}; - message.result !== undefined && (obj.result = message.result ? ReferrerItem.toJSON(message.result) : undefined); - message.pagination !== undefined && - (obj.pagination = message.pagination ? CursorPaginationResponse.toJSON(message.pagination) : undefined); - return obj; - }, - - create, I>>(base?: I): DiscoverPublicSharedResponse { - return DiscoverPublicSharedResponse.fromPartial(base ?? {}); - }, - - fromPartial, I>>(object: I): DiscoverPublicSharedResponse { - const message = createBaseDiscoverPublicSharedResponse(); - message.result = (object.result !== undefined && object.result !== null) - ? ReferrerItem.fromPartial(object.result) - : undefined; - message.pagination = (object.pagination !== undefined && object.pagination !== null) - ? CursorPaginationResponse.fromPartial(object.pagination) - : undefined; - return message; - }, -}; - function createBaseReferrerServiceDiscoverPrivateResponse(): ReferrerServiceDiscoverPrivateResponse { return { result: undefined, pagination: undefined }; } @@ -459,7 +268,6 @@ function createBaseReferrerItem(): ReferrerItem { digest: "", kind: "", downloadable: false, - public: false, references: [], createdAt: undefined, metadata: {}, @@ -478,9 +286,6 @@ export const ReferrerItem = { if (message.downloadable === true) { writer.uint32(24).bool(message.downloadable); } - if (message.public === true) { - writer.uint32(48).bool(message.public); - } for (const v of message.references) { ReferrerItem.encode(v!, writer.uint32(34).fork()).ldelim(); } @@ -524,13 +329,6 @@ export const ReferrerItem = { message.downloadable = reader.bool(); continue; - case 6: - if (tag !== 48) { - break; - } - - message.public = reader.bool(); - continue; case 4: if (tag !== 34) { break; @@ -579,7 +377,6 @@ export const ReferrerItem = { digest: isSet(object.digest) ? String(object.digest) : "", kind: isSet(object.kind) ? String(object.kind) : "", downloadable: isSet(object.downloadable) ? Boolean(object.downloadable) : false, - public: isSet(object.public) ? Boolean(object.public) : false, references: Array.isArray(object?.references) ? object.references.map((e: any) => ReferrerItem.fromJSON(e)) : [], createdAt: isSet(object.createdAt) ? fromJsonTimestamp(object.createdAt) : undefined, metadata: isObject(object.metadata) @@ -602,7 +399,6 @@ export const ReferrerItem = { message.digest !== undefined && (obj.digest = message.digest); message.kind !== undefined && (obj.kind = message.kind); message.downloadable !== undefined && (obj.downloadable = message.downloadable); - message.public !== undefined && (obj.public = message.public); if (message.references) { obj.references = message.references.map((e) => e ? ReferrerItem.toJSON(e) : undefined); } else { @@ -633,7 +429,6 @@ export const ReferrerItem = { message.digest = object.digest ?? ""; message.kind = object.kind ?? ""; message.downloadable = object.downloadable ?? false; - message.public = object.public ?? false; message.references = object.references?.map((e) => ReferrerItem.fromPartial(e)) || []; message.createdAt = object.createdAt ?? undefined; message.metadata = Object.entries(object.metadata ?? {}).reduce<{ [key: string]: string }>((acc, [key, value]) => { @@ -799,16 +594,6 @@ export interface ReferrerService { request: DeepPartial, metadata?: grpc.Metadata, ): Promise; - /** - * DiscoverPublicShared returns the referrer item for a given digest in the public shared index - * Deprecated: the public shared index is being retired. - * - * @deprecated - */ - DiscoverPublicShared( - request: DeepPartial, - metadata?: grpc.Metadata, - ): Promise; } export class ReferrerServiceClientImpl implements ReferrerService { @@ -817,7 +602,6 @@ export class ReferrerServiceClientImpl implements ReferrerService { constructor(rpc: Rpc) { this.rpc = rpc; this.DiscoverPrivate = this.DiscoverPrivate.bind(this); - this.DiscoverPublicShared = this.DiscoverPublicShared.bind(this); } DiscoverPrivate( @@ -830,17 +614,6 @@ export class ReferrerServiceClientImpl implements ReferrerService { metadata, ); } - - DiscoverPublicShared( - request: DeepPartial, - metadata?: grpc.Metadata, - ): Promise { - return this.rpc.unary( - ReferrerServiceDiscoverPublicSharedDesc, - DiscoverPublicSharedRequest.fromPartial(request), - metadata, - ); - } } export const ReferrerServiceDesc = { serviceName: "controlplane.v1.ReferrerService" }; @@ -868,29 +641,6 @@ export const ReferrerServiceDiscoverPrivateDesc: UnaryMethodDefinitionish = { } as any, }; -export const ReferrerServiceDiscoverPublicSharedDesc: UnaryMethodDefinitionish = { - methodName: "DiscoverPublicShared", - service: ReferrerServiceDesc, - requestStream: false, - responseStream: false, - requestType: { - serializeBinary() { - return DiscoverPublicSharedRequest.encode(this).finish(); - }, - } as any, - responseType: { - deserializeBinary(data: Uint8Array) { - const value = DiscoverPublicSharedResponse.decode(data); - return { - ...value, - toObject() { - return value; - }, - }; - }, - } as any, -}; - interface UnaryMethodDefinitionishR extends grpc.UnaryMethodDefinition { requestStream: any; responseStream: any; diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts b/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts index dea3ff5c2..e23dc8273 100644 --- a/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts +++ b/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts @@ -501,9 +501,10 @@ export interface WorkflowItem { /** Current, latest revision of the contract */ contractRevisionLatest: number; /** - * A public workflow means that any user can - * - access to all its workflow runs - * - their attestation and materials + * Deprecated: public workflows were removed. This field is always false and + * is retained only for wire compatibility; it will be removed in a future release. + * + * @deprecated */ public: boolean; description: string; diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts b/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts index da433d54b..213aa85a6 100644 --- a/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts +++ b/app/controlplane/api/gen/frontend/controlplane/v1/workflow.ts @@ -68,7 +68,6 @@ export interface WorkflowServiceCreateRequest { contractBytes: Uint8Array; team: string; description: string; - public: boolean; } export interface WorkflowServiceUpdateRequest { @@ -79,7 +78,6 @@ export interface WorkflowServiceUpdateRequest { */ projectName: string; team?: string | undefined; - public?: boolean | undefined; description?: string | undefined; contractName?: string | undefined; } @@ -109,10 +107,6 @@ export interface WorkflowServiceListRequest { projectNames: string[]; /** The description of the workflow */ workflowDescription: string; - /** If the workflow is public */ - workflowPublic?: - | boolean - | undefined; /** The type of runner that ran the workflow */ workflowRunRunnerType: CraftingSchema_Runner_RunnerType; /** The status of the last workflow run */ @@ -140,15 +134,7 @@ export interface WorkflowServiceViewResponse { } function createBaseWorkflowServiceCreateRequest(): WorkflowServiceCreateRequest { - return { - name: "", - projectName: "", - contractName: "", - contractBytes: new Uint8Array(0), - team: "", - description: "", - public: false, - }; + return { name: "", projectName: "", contractName: "", contractBytes: new Uint8Array(0), team: "", description: "" }; } export const WorkflowServiceCreateRequest = { @@ -171,9 +157,6 @@ export const WorkflowServiceCreateRequest = { if (message.description !== "") { writer.uint32(50).string(message.description); } - if (message.public === true) { - writer.uint32(56).bool(message.public); - } return writer; }, @@ -226,13 +209,6 @@ export const WorkflowServiceCreateRequest = { message.description = reader.string(); continue; - case 7: - if (tag !== 56) { - break; - } - - message.public = reader.bool(); - continue; } if ((tag & 7) === 4 || tag === 0) { break; @@ -250,7 +226,6 @@ export const WorkflowServiceCreateRequest = { contractBytes: isSet(object.contractBytes) ? bytesFromBase64(object.contractBytes) : new Uint8Array(0), team: isSet(object.team) ? String(object.team) : "", description: isSet(object.description) ? String(object.description) : "", - public: isSet(object.public) ? Boolean(object.public) : false, }; }, @@ -265,7 +240,6 @@ export const WorkflowServiceCreateRequest = { )); message.team !== undefined && (obj.team = message.team); message.description !== undefined && (obj.description = message.description); - message.public !== undefined && (obj.public = message.public); return obj; }, @@ -281,20 +255,12 @@ export const WorkflowServiceCreateRequest = { message.contractBytes = object.contractBytes ?? new Uint8Array(0); message.team = object.team ?? ""; message.description = object.description ?? ""; - message.public = object.public ?? false; return message; }, }; function createBaseWorkflowServiceUpdateRequest(): WorkflowServiceUpdateRequest { - return { - name: "", - projectName: "", - team: undefined, - public: undefined, - description: undefined, - contractName: undefined, - }; + return { name: "", projectName: "", team: undefined, description: undefined, contractName: undefined }; } export const WorkflowServiceUpdateRequest = { @@ -308,9 +274,6 @@ export const WorkflowServiceUpdateRequest = { if (message.team !== undefined) { writer.uint32(34).string(message.team); } - if (message.public !== undefined) { - writer.uint32(40).bool(message.public); - } if (message.description !== undefined) { writer.uint32(50).string(message.description); } @@ -348,13 +311,6 @@ export const WorkflowServiceUpdateRequest = { message.team = reader.string(); continue; - case 5: - if (tag !== 40) { - break; - } - - message.public = reader.bool(); - continue; case 6: if (tag !== 50) { break; @@ -383,7 +339,6 @@ export const WorkflowServiceUpdateRequest = { name: isSet(object.name) ? String(object.name) : "", projectName: isSet(object.projectName) ? String(object.projectName) : "", team: isSet(object.team) ? String(object.team) : undefined, - public: isSet(object.public) ? Boolean(object.public) : undefined, description: isSet(object.description) ? String(object.description) : undefined, contractName: isSet(object.contractName) ? String(object.contractName) : undefined, }; @@ -394,7 +349,6 @@ export const WorkflowServiceUpdateRequest = { message.name !== undefined && (obj.name = message.name); message.projectName !== undefined && (obj.projectName = message.projectName); message.team !== undefined && (obj.team = message.team); - message.public !== undefined && (obj.public = message.public); message.description !== undefined && (obj.description = message.description); message.contractName !== undefined && (obj.contractName = message.contractName); return obj; @@ -409,7 +363,6 @@ export const WorkflowServiceUpdateRequest = { message.name = object.name ?? ""; message.projectName = object.projectName ?? ""; message.team = object.team ?? undefined; - message.public = object.public ?? undefined; message.description = object.description ?? undefined; message.contractName = object.contractName ?? undefined; return message; @@ -657,7 +610,6 @@ function createBaseWorkflowServiceListRequest(): WorkflowServiceListRequest { workflowTeam: "", projectNames: [], workflowDescription: "", - workflowPublic: undefined, workflowRunRunnerType: 0, workflowRunLastStatus: 0, workflowLastActivityWindow: 0, @@ -680,9 +632,6 @@ export const WorkflowServiceListRequest = { if (message.workflowDescription !== "") { writer.uint32(34).string(message.workflowDescription); } - if (message.workflowPublic !== undefined) { - writer.uint32(40).bool(message.workflowPublic); - } if (message.workflowRunRunnerType !== 0) { writer.uint32(48).int32(message.workflowRunRunnerType); } @@ -736,13 +685,6 @@ export const WorkflowServiceListRequest = { message.workflowDescription = reader.string(); continue; - case 5: - if (tag !== 40) { - break; - } - - message.workflowPublic = reader.bool(); - continue; case 6: if (tag !== 48) { break; @@ -793,7 +735,6 @@ export const WorkflowServiceListRequest = { workflowTeam: isSet(object.workflowTeam) ? String(object.workflowTeam) : "", projectNames: Array.isArray(object?.projectNames) ? object.projectNames.map((e: any) => String(e)) : [], workflowDescription: isSet(object.workflowDescription) ? String(object.workflowDescription) : "", - workflowPublic: isSet(object.workflowPublic) ? Boolean(object.workflowPublic) : undefined, workflowRunRunnerType: isSet(object.workflowRunRunnerType) ? craftingSchema_Runner_RunnerTypeFromJSON(object.workflowRunRunnerType) : 0, @@ -816,7 +757,6 @@ export const WorkflowServiceListRequest = { obj.projectNames = []; } message.workflowDescription !== undefined && (obj.workflowDescription = message.workflowDescription); - message.workflowPublic !== undefined && (obj.workflowPublic = message.workflowPublic); message.workflowRunRunnerType !== undefined && (obj.workflowRunRunnerType = craftingSchema_Runner_RunnerTypeToJSON(message.workflowRunRunnerType)); message.workflowRunLastStatus !== undefined && @@ -843,7 +783,6 @@ export const WorkflowServiceListRequest = { message.workflowTeam = object.workflowTeam ?? ""; message.projectNames = object.projectNames?.map((e) => e) || []; message.workflowDescription = object.workflowDescription ?? ""; - message.workflowPublic = object.workflowPublic ?? undefined; message.workflowRunRunnerType = object.workflowRunRunnerType ?? 0; message.workflowRunLastStatus = object.workflowRunLastStatus ?? 0; message.workflowLastActivityWindow = object.workflowLastActivityWindow ?? 0; diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json deleted file mode 100644 index c1e135f13..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method\n Deprecated: the public shared index is being retired.", - "properties": { - "digest": { - "description": "Digest is the unique identifier of the referrer to discover", - "minLength": 1, - "type": "string" - }, - "kind": { - "description": "Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ...\n Used to filter and resolve ambiguities", - "type": "string" - }, - "pagination": { - "$ref": "controlplane.v1.CursorPaginationRequest.jsonschema.json", - "description": "Pagination options for the references list" - } - }, - "title": "Discover Public Shared Request", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json deleted file mode 100644 index 498bb60b5..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedRequest.schema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method\n Deprecated: the public shared index is being retired.", - "properties": { - "digest": { - "description": "Digest is the unique identifier of the referrer to discover", - "minLength": 1, - "type": "string" - }, - "kind": { - "description": "Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ...\n Used to filter and resolve ambiguities", - "type": "string" - }, - "pagination": { - "$ref": "controlplane.v1.CursorPaginationRequest.schema.json", - "description": "Pagination options for the references list" - } - }, - "title": "Discover Public Shared Request", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json deleted file mode 100644 index ebb28c383..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedResponse.jsonschema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method", - "properties": { - "pagination": { - "$ref": "controlplane.v1.CursorPaginationResponse.jsonschema.json", - "description": "Pagination information for the references list" - }, - "result": { - "$ref": "controlplane.v1.ReferrerItem.jsonschema.json", - "description": "Result is the discovered referrer item" - } - }, - "title": "Discover Public Shared Response", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.schema.json deleted file mode 100644 index 282690659..000000000 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedResponse.schema.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$id": "controlplane.v1.DiscoverPublicSharedResponse.schema.json", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "additionalProperties": false, - "description": "DiscoverPublicSharedResponse is the response for the DiscoverPublicShared method", - "properties": { - "pagination": { - "$ref": "controlplane.v1.CursorPaginationResponse.schema.json", - "description": "Pagination information for the references list" - }, - "result": { - "$ref": "controlplane.v1.ReferrerItem.schema.json", - "description": "Result is the discovered referrer item" - } - }, - "title": "Discover Public Shared Response", - "type": "object" -} diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json index 41416b12f..ef56a5dbe 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.jsonschema.json @@ -46,10 +46,6 @@ }, "type": "object" }, - "public": { - "description": "Public indicates whether the referrer is public since it belongs to a public workflow", - "type": "boolean" - }, "references": { "description": "References contains the list of related referrer items", "items": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json index 1d6242f66..c5aa6e231 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerItem.schema.json @@ -46,10 +46,6 @@ }, "type": "object" }, - "public": { - "description": "Public indicates whether the referrer is public since it belongs to a public workflow", - "type": "boolean" - }, "references": { "description": "References contains the list of related referrer items", "items": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json index 767f1f716..4c82ec5c6 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.jsonschema.json @@ -61,7 +61,7 @@ "type": "string" }, "public": { - "description": "A public workflow means that any user can\n - access to all its workflow runs\n - their attestation and materials", + "description": "Deprecated: public workflows were removed. This field is always false and\n is retained only for wire compatibility; it will be removed in a future release.", "type": "boolean" }, "runsCount": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json index 9a3fc8afa..da762dc32 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowItem.schema.json @@ -61,7 +61,7 @@ "type": "string" }, "public": { - "description": "A public workflow means that any user can\n - access to all its workflow runs\n - their attestation and materials", + "description": "Deprecated: public workflows were removed. This field is always false and\n is retained only for wire compatibility; it will be removed in a future release.", "type": "boolean" }, "runs_count": { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json index 3144eff12..ff3857f7a 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.jsonschema.json @@ -37,9 +37,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json index b3af70bc0..31339fca7 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceCreateRequest.schema.json @@ -37,9 +37,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json index 40da111f9..c8b43d021 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.jsonschema.json @@ -45,10 +45,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "^(workflow_public)$": { - "description": "If the workflow is public", - "type": "boolean" - }, "^(workflow_run_last_status)$": { "anyOf": [ { @@ -149,10 +145,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "workflowPublic": { - "description": "If the workflow is public", - "type": "boolean" - }, "workflowRunLastStatus": { "anyOf": [ { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json index 5920fcfdd..25ca75d53 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceListRequest.schema.json @@ -45,10 +45,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "^(workflowPublic)$": { - "description": "If the workflow is public", - "type": "boolean" - }, "^(workflowRunLastStatus)$": { "anyOf": [ { @@ -149,10 +145,6 @@ "description": "The name of the workflow to filter by", "type": "string" }, - "workflow_public": { - "description": "If the workflow is public", - "type": "boolean" - }, "workflow_run_last_status": { "anyOf": [ { diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json index 8f89d5ffa..d8ff039a8 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.jsonschema.json @@ -27,9 +27,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json index 0a20e527a..bff0a14c1 100644 --- a/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json +++ b/app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowServiceUpdateRequest.schema.json @@ -27,9 +27,6 @@ "minLength": 1, "type": "string" }, - "public": { - "type": "boolean" - }, "team": { "type": "string" } diff --git a/app/controlplane/api/gen/openapi/openapi.yaml b/app/controlplane/api/gen/openapi/openapi.yaml index 5a3e5a288..a5036f3b3 100644 --- a/app/controlplane/api/gen/openapi/openapi.yaml +++ b/app/controlplane/api/gen/openapi/openapi.yaml @@ -22,54 +22,6 @@ externalDocs: description: Chainloop Official Documentation url: https://docs.chainloop.dev paths: - /discover/shared/{digest}: - get: - description: Returns the referrer item for a given digest in the public shared index - operationId: ReferrerService_DiscoverPublicShared - parameters: - - description: Digest is the unique identifier of the referrer to discover - in: path - name: digest - required: true - schema: - type: string - - description: >- - Kind is the optional type of referrer, i.e CONTAINER_IMAGE, - GIT_HEAD, ... - - Used to filter and resolve ambiguities - in: query - name: kind - schema: - type: string - - in: query - name: pagination.cursor - schema: - type: string - - description: Limit pagination to 100 - in: query - name: pagination.limit - schema: - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/v1DiscoverPublicSharedResponse' - description: A successful response. - default: - content: - application/json: - schema: - $ref: '#/components/schemas/rpcStatus' - description: An unexpected error response. - summary: Discover public shared referrer - tags: - - ReferrerService - security: - - bearerToken: [] /discover/{digest}: get: description: >- @@ -284,38 +236,12 @@ components: next_cursor: type: string type: object - v1DiscoverPublicSharedResponse: - description: Response for the DiscoverPublicShared method - example: - result: - downloadable: true - metadata: - key: metadata - public: true - references: - - null - - null - kind: kind - digest: digest - created_at: '2000-01-23T04:56:07.000+00:00' - annotations: - key: annotations - pagination: - next_cursor: next_cursor - properties: - result: - $ref: '#/components/schemas/v1ReferrerItem' - pagination: - $ref: '#/components/schemas/v1CursorPaginationResponse' - title: DiscoverPublicSharedResponse - type: object v1ReferrerItem: description: It represents a referrer object in the system example: downloadable: true metadata: key: metadata - public: true references: - null - null @@ -336,11 +262,6 @@ components: Downloadable indicates whether the referrer is downloadable or not from CAS type: boolean - public: - title: >- - Public indicates whether the referrer is public since it belongs to - a public workflow - type: boolean references: items: $ref: '#/components/schemas/v1ReferrerItem' @@ -371,7 +292,6 @@ components: downloadable: true metadata: key: metadata - public: true references: - null - null diff --git a/app/controlplane/cmd/wire.go b/app/controlplane/cmd/wire.go index 5c0ef1180..ab5903af0 100644 --- a/app/controlplane/cmd/wire.go +++ b/app/controlplane/cmd/wire.go @@ -59,7 +59,7 @@ func wireApp(context.Context, *conf.Bootstrap, credentials.ReaderWriter, log.Log wire.Bind(new(biz.CASClient), new(*biz.CASClientUseCase)), serviceOpts, wire.Value([]biz.CASClientOpts{}), - wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer", "ReferrerSharedIndex", "Onboarding", "PrometheusIntegration", "PolicyProviders", "NatsServer", "FederatedAuthentication", "OperationAuthorizationProvider"), + wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer", "Onboarding", "PrometheusIntegration", "PolicyProviders", "NatsServer", "FederatedAuthentication", "OperationAuthorizationProvider"), wire.FieldsOf(new(*conf.Data), "Database"), dispatcher.New, authz.NewCasbinEnforcer, @@ -77,7 +77,6 @@ func wireApp(context.Context, *conf.Bootstrap, credentials.ReaderWriter, log.Log newJWTConfig, authzConfig, authzUseCaseConfig, - biz.NewIndexConfig, ), ) } diff --git a/app/controlplane/cmd/wire_gen.go b/app/controlplane/cmd/wire_gen.go index 13ff75105..350656274 100644 --- a/app/controlplane/cmd/wire_gen.go +++ b/app/controlplane/cmd/wire_gen.go @@ -125,15 +125,7 @@ func wireApp(contextContext context.Context, bootstrap *conf.Bootstrap, readerWr v2 := _wireValue casClientUseCase := biz.NewCASClientUseCase(casCredentialsUseCase, bootstrap_CASServer, logger, v2...) referrerRepo := data.NewReferrerRepo(dataData, workflowRepo, logger) - referrerSharedIndex := bootstrap.ReferrerSharedIndex - referrerSharedIndexConfig, err := biz.NewIndexConfig(referrerSharedIndex) - if err != nil { - cleanup3() - cleanup2() - cleanup() - return nil, nil, err - } - referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, referrerSharedIndexConfig, logger) + referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, logger) if err != nil { cleanup3() cleanup2() diff --git a/app/controlplane/configs/samples/config.yaml b/app/controlplane/configs/samples/config.yaml index 04c5f3f63..b7f7a9614 100644 --- a/app/controlplane/configs/samples/config.yaml +++ b/app/controlplane/configs/samples/config.yaml @@ -57,16 +57,6 @@ credentials_service: # client_secret: Service Principal Secret # vault_uri: https://myvault.vault.azure.net/ -# referrer shared index configuration. -# This is used to enable a shared index API endpoint that can be used to discover metadata referrers -# To populate the shared index you need to enable the feature and configure the allowed orgs -# The reason to have an org allowList is to avoid leaking metadata from other organizations -# and set the stage for a trusted publisher model -referrer_shared_index: - enabled: true - allowed_orgs: - - deadbeef - onboarding: - name: "read-only-demo" role: MEMBERSHIP_ROLE_ORG_VIEWER diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.go b/app/controlplane/internal/conf/controlplane/config/v1/conf.go deleted file mode 100644 index 8bdf8f416..000000000 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf.go +++ /dev/null @@ -1,41 +0,0 @@ -// -// Copyright 2023 The Chainloop Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package conf - -import ( - "errors" - "fmt" - - "github.com/google/uuid" -) - -func (c *ReferrerSharedIndex) ValidateOrgs() error { - if c == nil || !c.Enabled { - return nil - } - - if c.Enabled && len(c.AllowedOrgs) == 0 { - return errors.New("index is enabled, but no orgs are allowed") - } - - for _, orgID := range c.AllowedOrgs { - if _, err := uuid.Parse(orgID); err != nil { - return fmt.Errorf("invalid org id: %s", orgID) - } - } - - return nil -} diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go b/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go index e34afb9a3..aeccaa51e 100644 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go +++ b/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go @@ -52,8 +52,6 @@ type Bootstrap struct { // Plugins directory // NOTE: plugins have the form of chainloop-plugin- PluginsDir string `protobuf:"bytes,7,opt,name=plugins_dir,json=pluginsDir,proto3" json:"plugins_dir,omitempty"` - // Configuration about the shared referrer index - ReferrerSharedIndex *ReferrerSharedIndex `protobuf:"bytes,8,opt,name=referrer_shared_index,json=referrerSharedIndex,proto3" json:"referrer_shared_index,omitempty"` // The certificate authority used for keyless signing (deprecated, use certificate_authorities instead) // // Deprecated: Marked as deprecated in controlplane/config/v1/conf.proto. @@ -167,13 +165,6 @@ func (x *Bootstrap) GetPluginsDir() string { return "" } -func (x *Bootstrap) GetReferrerSharedIndex() *ReferrerSharedIndex { - if x != nil { - return x.ReferrerSharedIndex - } - return nil -} - // Deprecated: Marked as deprecated in controlplane/config/v1/conf.proto. func (x *Bootstrap) GetCertificateAuthority() *CA { if x != nil { @@ -507,64 +498,6 @@ func (x *PolicyProvider) GetUrl() string { return "" } -// Configuration used to enable a shared index API endpoint that can be used to discover metadata referrers -// To populate the shared index you need to enable the feature and configure the allowed orgs -// The reason to have an org allowList is to avoid leaking metadata from other organizations and set the stage for a trusted publisher model -type ReferrerSharedIndex struct { - state protoimpl.MessageState `protogen:"open.v1"` - // If the shared, public index feature is enabled - Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - // list of organizations uuids that are allowed to appear in the shared referrer index - // think of it as a list of trusted publishers - AllowedOrgs []string `protobuf:"bytes,2,rep,name=allowed_orgs,json=allowedOrgs,proto3" json:"allowed_orgs,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache -} - -func (x *ReferrerSharedIndex) Reset() { - *x = ReferrerSharedIndex{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *ReferrerSharedIndex) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ReferrerSharedIndex) ProtoMessage() {} - -func (x *ReferrerSharedIndex) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ReferrerSharedIndex.ProtoReflect.Descriptor instead. -func (*ReferrerSharedIndex) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5} -} - -func (x *ReferrerSharedIndex) GetEnabled() bool { - if x != nil { - return x.Enabled - } - return false -} - -func (x *ReferrerSharedIndex) GetAllowedOrgs() []string { - if x != nil { - return x.AllowedOrgs - } - return nil -} - type Server struct { state protoimpl.MessageState `protogen:"open.v1"` Http *Server_HTTP `protobuf:"bytes,1,opt,name=http,proto3" json:"http,omitempty"` @@ -577,7 +510,7 @@ type Server struct { func (x *Server) Reset() { *x = Server{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -589,7 +522,7 @@ func (x *Server) String() string { func (*Server) ProtoMessage() {} func (x *Server) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -602,7 +535,7 @@ func (x *Server) ProtoReflect() protoreflect.Message { // Deprecated: Use Server.ProtoReflect.Descriptor instead. func (*Server) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5} } func (x *Server) GetHttp() *Server_HTTP { @@ -635,7 +568,7 @@ type Data struct { func (x *Data) Reset() { *x = Data{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -647,7 +580,7 @@ func (x *Data) String() string { func (*Data) ProtoMessage() {} func (x *Data) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -660,7 +593,7 @@ func (x *Data) ProtoReflect() protoreflect.Message { // Deprecated: Use Data.ProtoReflect.Descriptor instead. func (*Data) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6} } func (x *Data) GetDatabase() *Data_Database { @@ -685,7 +618,7 @@ type Auth struct { func (x *Auth) Reset() { *x = Auth{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -697,7 +630,7 @@ func (x *Auth) String() string { func (*Auth) ProtoMessage() {} func (x *Auth) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[7] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -710,7 +643,7 @@ func (x *Auth) ProtoReflect() protoreflect.Message { // Deprecated: Use Auth.ProtoReflect.Descriptor instead. func (*Auth) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{8} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7} } func (x *Auth) GetGeneratedJwsHmacSecret() string { @@ -762,7 +695,7 @@ type TSA struct { func (x *TSA) Reset() { *x = TSA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -774,7 +707,7 @@ func (x *TSA) String() string { func (*TSA) ProtoMessage() {} func (x *TSA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -787,7 +720,7 @@ func (x *TSA) ProtoReflect() protoreflect.Message { // Deprecated: Use TSA.ProtoReflect.Descriptor instead. func (*TSA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{8} } func (x *TSA) GetUrl() string { @@ -828,7 +761,7 @@ type CA struct { func (x *CA) Reset() { *x = CA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -840,7 +773,7 @@ func (x *CA) String() string { func (*CA) ProtoMessage() {} func (x *CA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[9] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -853,7 +786,7 @@ func (x *CA) ProtoReflect() protoreflect.Message { // Deprecated: Use CA.ProtoReflect.Descriptor instead. func (*CA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9} } func (x *CA) GetCa() isCA_Ca { @@ -915,7 +848,7 @@ type PrometheusIntegrationSpec struct { func (x *PrometheusIntegrationSpec) Reset() { *x = PrometheusIntegrationSpec{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -927,7 +860,7 @@ func (x *PrometheusIntegrationSpec) String() string { func (*PrometheusIntegrationSpec) ProtoMessage() {} func (x *PrometheusIntegrationSpec) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[10] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -940,7 +873,7 @@ func (x *PrometheusIntegrationSpec) ProtoReflect() protoreflect.Message { // Deprecated: Use PrometheusIntegrationSpec.ProtoReflect.Descriptor instead. func (*PrometheusIntegrationSpec) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{11} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10} } func (x *PrometheusIntegrationSpec) GetOrgName() string { @@ -960,7 +893,7 @@ type Bootstrap_Observability struct { func (x *Bootstrap_Observability) Reset() { *x = Bootstrap_Observability{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -972,7 +905,7 @@ func (x *Bootstrap_Observability) String() string { func (*Bootstrap_Observability) ProtoMessage() {} func (x *Bootstrap_Observability) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[11] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1022,7 +955,7 @@ type Bootstrap_CASServer struct { func (x *Bootstrap_CASServer) Reset() { *x = Bootstrap_CASServer{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1034,7 +967,7 @@ func (x *Bootstrap_CASServer) String() string { func (*Bootstrap_CASServer) ProtoMessage() {} func (x *Bootstrap_CASServer) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[12] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1095,7 +1028,7 @@ type Bootstrap_NatsServer struct { func (x *Bootstrap_NatsServer) Reset() { *x = Bootstrap_NatsServer{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1107,7 +1040,7 @@ func (x *Bootstrap_NatsServer) String() string { func (*Bootstrap_NatsServer) ProtoMessage() {} func (x *Bootstrap_NatsServer) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[13] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1174,7 +1107,7 @@ type Bootstrap_Observability_Sentry struct { func (x *Bootstrap_Observability_Sentry) Reset() { *x = Bootstrap_Observability_Sentry{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1186,7 +1119,7 @@ func (x *Bootstrap_Observability_Sentry) String() string { func (*Bootstrap_Observability_Sentry) ProtoMessage() {} func (x *Bootstrap_Observability_Sentry) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[14] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1233,7 +1166,7 @@ type Bootstrap_Observability_Tracing struct { func (x *Bootstrap_Observability_Tracing) Reset() { *x = Bootstrap_Observability_Tracing{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1245,7 +1178,7 @@ func (x *Bootstrap_Observability_Tracing) String() string { func (*Bootstrap_Observability_Tracing) ProtoMessage() {} func (x *Bootstrap_Observability_Tracing) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[15] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1303,7 +1236,7 @@ type Server_HTTP struct { func (x *Server_HTTP) Reset() { *x = Server_HTTP{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1315,7 +1248,7 @@ func (x *Server_HTTP) String() string { func (*Server_HTTP) ProtoMessage() {} func (x *Server_HTTP) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[16] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1328,7 +1261,7 @@ func (x *Server_HTTP) ProtoReflect() protoreflect.Message { // Deprecated: Use Server_HTTP.ProtoReflect.Descriptor instead. func (*Server_HTTP) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5, 0} } func (x *Server_HTTP) GetNetwork() string { @@ -1370,7 +1303,7 @@ type Server_TLS struct { func (x *Server_TLS) Reset() { *x = Server_TLS{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1382,7 +1315,7 @@ func (x *Server_TLS) String() string { func (*Server_TLS) ProtoMessage() {} func (x *Server_TLS) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[17] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1395,7 +1328,7 @@ func (x *Server_TLS) ProtoReflect() protoreflect.Message { // Deprecated: Use Server_TLS.ProtoReflect.Descriptor instead. func (*Server_TLS) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 1} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5, 1} } func (x *Server_TLS) GetCertificate() string { @@ -1427,7 +1360,7 @@ type Server_GRPC struct { func (x *Server_GRPC) Reset() { *x = Server_GRPC{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1439,7 +1372,7 @@ func (x *Server_GRPC) String() string { func (*Server_GRPC) ProtoMessage() {} func (x *Server_GRPC) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[18] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1452,7 +1385,7 @@ func (x *Server_GRPC) ProtoReflect() protoreflect.Message { // Deprecated: Use Server_GRPC.ProtoReflect.Descriptor instead. func (*Server_GRPC) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 2} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{5, 2} } func (x *Server_GRPC) GetNetwork() string { @@ -1506,7 +1439,7 @@ type Data_Database struct { func (x *Data_Database) Reset() { *x = Data_Database{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1518,7 +1451,7 @@ func (x *Data_Database) String() string { func (*Data_Database) ProtoMessage() {} func (x *Data_Database) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[19] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1531,7 +1464,7 @@ func (x *Data_Database) ProtoReflect() protoreflect.Message { // Deprecated: Use Data_Database.ProtoReflect.Descriptor instead. func (*Data_Database) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{6, 0} } func (x *Data_Database) GetDriver() string { @@ -1583,7 +1516,7 @@ type Auth_OIDC struct { func (x *Auth_OIDC) Reset() { *x = Auth_OIDC{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1595,7 +1528,7 @@ func (x *Auth_OIDC) String() string { func (*Auth_OIDC) ProtoMessage() {} func (x *Auth_OIDC) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[20] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1608,7 +1541,7 @@ func (x *Auth_OIDC) ProtoReflect() protoreflect.Message { // Deprecated: Use Auth_OIDC.ProtoReflect.Descriptor instead. func (*Auth_OIDC) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{8, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{7, 0} } func (x *Auth_OIDC) GetDomain() string { @@ -1650,7 +1583,7 @@ type CA_FileCA struct { func (x *CA_FileCA) Reset() { *x = CA_FileCA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1662,7 +1595,7 @@ func (x *CA_FileCA) String() string { func (*CA_FileCA) ProtoMessage() {} func (x *CA_FileCA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[21] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1675,7 +1608,7 @@ func (x *CA_FileCA) ProtoReflect() protoreflect.Message { // Deprecated: Use CA_FileCA.ProtoReflect.Descriptor instead. func (*CA_FileCA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10, 0} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9, 0} } func (x *CA_FileCA) GetCertPath() string { @@ -1716,7 +1649,7 @@ type CA_EJBCA struct { func (x *CA_EJBCA) Reset() { *x = CA_EJBCA{} - mi := &file_controlplane_config_v1_conf_proto_msgTypes[23] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1728,7 +1661,7 @@ func (x *CA_EJBCA) String() string { func (*CA_EJBCA) ProtoMessage() {} func (x *CA_EJBCA) ProtoReflect() protoreflect.Message { - mi := &file_controlplane_config_v1_conf_proto_msgTypes[23] + mi := &file_controlplane_config_v1_conf_proto_msgTypes[22] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1741,7 +1674,7 @@ func (x *CA_EJBCA) ProtoReflect() protoreflect.Message { // Deprecated: Use CA_EJBCA.ProtoReflect.Descriptor instead. func (*CA_EJBCA) Descriptor() ([]byte, []int) { - return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{10, 1} + return file_controlplane_config_v1_conf_proto_rawDescGZIP(), []int{9, 1} } func (x *CA_EJBCA) GetServerUrl() string { @@ -1797,7 +1730,7 @@ var File_controlplane_config_v1_conf_proto protoreflect.FileDescriptor const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\n" + - "!controlplane/config/v1/conf.proto\x12\x16controlplane.config.v1\x1a\x1bbuf/validate/validate.proto\x1a#controlplane/config/v1/config.proto\x1a\x1bcredentials/v1/config.proto\x1a\x1egoogle/protobuf/duration.proto\"\xf5\x11\n" + + "!controlplane/config/v1/conf.proto\x12\x16controlplane.config.v1\x1a\x1bbuf/validate/validate.proto\x1a#controlplane/config/v1/config.proto\x1a\x1bcredentials/v1/config.proto\x1a\x1egoogle/protobuf/duration.proto\"\xb1\x11\n" + "\tBootstrap\x126\n" + "\x06server\x18\x01 \x01(\v2\x1e.controlplane.config.v1.ServerR\x06server\x120\n" + "\x04data\x18\x02 \x01(\v2\x1c.controlplane.config.v1.DataR\x04data\x120\n" + @@ -1807,8 +1740,7 @@ const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\n" + "cas_server\x18\x06 \x01(\v2+.controlplane.config.v1.Bootstrap.CASServerR\tcasServer\x12\x1f\n" + "\vplugins_dir\x18\a \x01(\tR\n" + - "pluginsDir\x12_\n" + - "\x15referrer_shared_index\x18\b \x01(\v2+.controlplane.config.v1.ReferrerSharedIndexR\x13referrerSharedIndex\x12S\n" + + "pluginsDir\x12S\n" + "\x15certificate_authority\x18\t \x01(\v2\x1a.controlplane.config.v1.CAB\x02\x18\x01R\x14certificateAuthority\x12S\n" + "\x17certificate_authorities\x18\x0f \x03(\v2\x1a.controlplane.config.v1.CAR\x16certificateAuthorities\x12P\n" + "\x15timestamp_authorities\x18\x11 \x03(\v2\x1b.controlplane.config.v1.TSAR\x14timestampAuthorities\x12F\n" + @@ -1848,7 +1780,7 @@ const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\x03uri\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x03uri\x12\x1f\n" + "\x05token\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01H\x00R\x05token\x12\x1a\n" + "\breplicas\x18\x03 \x01(\x05R\breplicasB\x10\n" + - "\x0eauthentication\"6\n" + + "\x0eauthenticationJ\x04\b\b\x10\tR\x15referrer_shared_index\"6\n" + "\fAttestations\x12&\n" + "\x0fskip_db_storage\x18\x01 \x01(\bR\rskipDbStorage\"v\n" + "\x1eOperationAuthorizationProvider\x12\x1a\n" + @@ -1865,10 +1797,7 @@ const file_controlplane_config_v1_conf_proto_rawDesc = "" + "\rname.dns-1123\x12:must contain only lowercase letters, numbers, and hyphens.\x1a/this.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')R\x04name\x12\x18\n" + "\adefault\x18\x02 \x01(\bR\adefault\x12\x16\n" + "\x04host\x18\x03 \x01(\tB\x02\x18\x01R\x04host\x12\x10\n" + - "\x03url\x18\x04 \x01(\tR\x03url\"R\n" + - "\x13ReferrerSharedIndex\x12\x18\n" + - "\aenabled\x18\x01 \x01(\bR\aenabled\x12!\n" + - "\fallowed_orgs\x18\x02 \x03(\tR\vallowedOrgs\"\xfe\x04\n" + + "\x03url\x18\x04 \x01(\tR\x03url\"\xfe\x04\n" + "\x06Server\x127\n" + "\x04http\x18\x01 \x01(\v2#.controlplane.config.v1.Server.HTTPR\x04http\x127\n" + "\x04grpc\x18\x02 \x01(\v2#.controlplane.config.v1.Server.GRPCR\x04grpc\x12F\n" + @@ -1947,75 +1876,73 @@ func file_controlplane_config_v1_conf_proto_rawDescGZIP() []byte { return file_controlplane_config_v1_conf_proto_rawDescData } -var file_controlplane_config_v1_conf_proto_msgTypes = make([]protoimpl.MessageInfo, 24) +var file_controlplane_config_v1_conf_proto_msgTypes = make([]protoimpl.MessageInfo, 23) var file_controlplane_config_v1_conf_proto_goTypes = []any{ (*Bootstrap)(nil), // 0: controlplane.config.v1.Bootstrap (*Attestations)(nil), // 1: controlplane.config.v1.Attestations (*OperationAuthorizationProvider)(nil), // 2: controlplane.config.v1.OperationAuthorizationProvider (*FederatedAuthentication)(nil), // 3: controlplane.config.v1.FederatedAuthentication (*PolicyProvider)(nil), // 4: controlplane.config.v1.PolicyProvider - (*ReferrerSharedIndex)(nil), // 5: controlplane.config.v1.ReferrerSharedIndex - (*Server)(nil), // 6: controlplane.config.v1.Server - (*Data)(nil), // 7: controlplane.config.v1.Data - (*Auth)(nil), // 8: controlplane.config.v1.Auth - (*TSA)(nil), // 9: controlplane.config.v1.TSA - (*CA)(nil), // 10: controlplane.config.v1.CA - (*PrometheusIntegrationSpec)(nil), // 11: controlplane.config.v1.PrometheusIntegrationSpec - (*Bootstrap_Observability)(nil), // 12: controlplane.config.v1.Bootstrap.Observability - (*Bootstrap_CASServer)(nil), // 13: controlplane.config.v1.Bootstrap.CASServer - (*Bootstrap_NatsServer)(nil), // 14: controlplane.config.v1.Bootstrap.NatsServer - (*Bootstrap_Observability_Sentry)(nil), // 15: controlplane.config.v1.Bootstrap.Observability.Sentry - (*Bootstrap_Observability_Tracing)(nil), // 16: controlplane.config.v1.Bootstrap.Observability.Tracing - (*Server_HTTP)(nil), // 17: controlplane.config.v1.Server.HTTP - (*Server_TLS)(nil), // 18: controlplane.config.v1.Server.TLS - (*Server_GRPC)(nil), // 19: controlplane.config.v1.Server.GRPC - (*Data_Database)(nil), // 20: controlplane.config.v1.Data.Database - (*Auth_OIDC)(nil), // 21: controlplane.config.v1.Auth.OIDC - (*CA_FileCA)(nil), // 22: controlplane.config.v1.CA.FileCA - (*CA_EJBCA)(nil), // 23: controlplane.config.v1.CA.EJBCA - (*v1.Credentials)(nil), // 24: credentials.v1.Credentials - (*v11.OnboardingSpec)(nil), // 25: controlplane.config.v1.OnboardingSpec - (*v11.AllowList)(nil), // 26: controlplane.config.v1.AllowList - (*durationpb.Duration)(nil), // 27: google.protobuf.Duration + (*Server)(nil), // 5: controlplane.config.v1.Server + (*Data)(nil), // 6: controlplane.config.v1.Data + (*Auth)(nil), // 7: controlplane.config.v1.Auth + (*TSA)(nil), // 8: controlplane.config.v1.TSA + (*CA)(nil), // 9: controlplane.config.v1.CA + (*PrometheusIntegrationSpec)(nil), // 10: controlplane.config.v1.PrometheusIntegrationSpec + (*Bootstrap_Observability)(nil), // 11: controlplane.config.v1.Bootstrap.Observability + (*Bootstrap_CASServer)(nil), // 12: controlplane.config.v1.Bootstrap.CASServer + (*Bootstrap_NatsServer)(nil), // 13: controlplane.config.v1.Bootstrap.NatsServer + (*Bootstrap_Observability_Sentry)(nil), // 14: controlplane.config.v1.Bootstrap.Observability.Sentry + (*Bootstrap_Observability_Tracing)(nil), // 15: controlplane.config.v1.Bootstrap.Observability.Tracing + (*Server_HTTP)(nil), // 16: controlplane.config.v1.Server.HTTP + (*Server_TLS)(nil), // 17: controlplane.config.v1.Server.TLS + (*Server_GRPC)(nil), // 18: controlplane.config.v1.Server.GRPC + (*Data_Database)(nil), // 19: controlplane.config.v1.Data.Database + (*Auth_OIDC)(nil), // 20: controlplane.config.v1.Auth.OIDC + (*CA_FileCA)(nil), // 21: controlplane.config.v1.CA.FileCA + (*CA_EJBCA)(nil), // 22: controlplane.config.v1.CA.EJBCA + (*v1.Credentials)(nil), // 23: credentials.v1.Credentials + (*v11.OnboardingSpec)(nil), // 24: controlplane.config.v1.OnboardingSpec + (*v11.AllowList)(nil), // 25: controlplane.config.v1.AllowList + (*durationpb.Duration)(nil), // 26: google.protobuf.Duration } var file_controlplane_config_v1_conf_proto_depIdxs = []int32{ - 6, // 0: controlplane.config.v1.Bootstrap.server:type_name -> controlplane.config.v1.Server - 7, // 1: controlplane.config.v1.Bootstrap.data:type_name -> controlplane.config.v1.Data - 8, // 2: controlplane.config.v1.Bootstrap.auth:type_name -> controlplane.config.v1.Auth - 12, // 3: controlplane.config.v1.Bootstrap.observability:type_name -> controlplane.config.v1.Bootstrap.Observability - 24, // 4: controlplane.config.v1.Bootstrap.credentials_service:type_name -> credentials.v1.Credentials - 13, // 5: controlplane.config.v1.Bootstrap.cas_server:type_name -> controlplane.config.v1.Bootstrap.CASServer - 5, // 6: controlplane.config.v1.Bootstrap.referrer_shared_index:type_name -> controlplane.config.v1.ReferrerSharedIndex - 10, // 7: controlplane.config.v1.Bootstrap.certificate_authority:type_name -> controlplane.config.v1.CA - 10, // 8: controlplane.config.v1.Bootstrap.certificate_authorities:type_name -> controlplane.config.v1.CA - 9, // 9: controlplane.config.v1.Bootstrap.timestamp_authorities:type_name -> controlplane.config.v1.TSA - 25, // 10: controlplane.config.v1.Bootstrap.onboarding:type_name -> controlplane.config.v1.OnboardingSpec - 11, // 11: controlplane.config.v1.Bootstrap.prometheus_integration:type_name -> controlplane.config.v1.PrometheusIntegrationSpec - 4, // 12: controlplane.config.v1.Bootstrap.policy_providers:type_name -> controlplane.config.v1.PolicyProvider - 14, // 13: controlplane.config.v1.Bootstrap.nats_server:type_name -> controlplane.config.v1.Bootstrap.NatsServer - 3, // 14: controlplane.config.v1.Bootstrap.federated_authentication:type_name -> controlplane.config.v1.FederatedAuthentication - 2, // 15: controlplane.config.v1.Bootstrap.operation_authorization_provider:type_name -> controlplane.config.v1.OperationAuthorizationProvider - 1, // 16: controlplane.config.v1.Bootstrap.attestations:type_name -> controlplane.config.v1.Attestations - 17, // 17: controlplane.config.v1.Server.http:type_name -> controlplane.config.v1.Server.HTTP - 19, // 18: controlplane.config.v1.Server.grpc:type_name -> controlplane.config.v1.Server.GRPC - 17, // 19: controlplane.config.v1.Server.http_metrics:type_name -> controlplane.config.v1.Server.HTTP - 20, // 20: controlplane.config.v1.Data.database:type_name -> controlplane.config.v1.Data.Database - 26, // 21: controlplane.config.v1.Auth.allow_list:type_name -> controlplane.config.v1.AllowList - 21, // 22: controlplane.config.v1.Auth.oidc:type_name -> controlplane.config.v1.Auth.OIDC - 22, // 23: controlplane.config.v1.CA.file_ca:type_name -> controlplane.config.v1.CA.FileCA - 23, // 24: controlplane.config.v1.CA.ejbca_ca:type_name -> controlplane.config.v1.CA.EJBCA - 15, // 25: controlplane.config.v1.Bootstrap.Observability.sentry:type_name -> controlplane.config.v1.Bootstrap.Observability.Sentry - 16, // 26: controlplane.config.v1.Bootstrap.Observability.tracing:type_name -> controlplane.config.v1.Bootstrap.Observability.Tracing - 19, // 27: controlplane.config.v1.Bootstrap.CASServer.grpc:type_name -> controlplane.config.v1.Server.GRPC - 27, // 28: controlplane.config.v1.Server.HTTP.timeout:type_name -> google.protobuf.Duration - 27, // 29: controlplane.config.v1.Server.GRPC.timeout:type_name -> google.protobuf.Duration - 18, // 30: controlplane.config.v1.Server.GRPC.tls_config:type_name -> controlplane.config.v1.Server.TLS - 27, // 31: controlplane.config.v1.Data.Database.max_conn_idle_time:type_name -> google.protobuf.Duration - 32, // [32:32] is the sub-list for method output_type - 32, // [32:32] is the sub-list for method input_type - 32, // [32:32] is the sub-list for extension type_name - 32, // [32:32] is the sub-list for extension extendee - 0, // [0:32] is the sub-list for field type_name + 5, // 0: controlplane.config.v1.Bootstrap.server:type_name -> controlplane.config.v1.Server + 6, // 1: controlplane.config.v1.Bootstrap.data:type_name -> controlplane.config.v1.Data + 7, // 2: controlplane.config.v1.Bootstrap.auth:type_name -> controlplane.config.v1.Auth + 11, // 3: controlplane.config.v1.Bootstrap.observability:type_name -> controlplane.config.v1.Bootstrap.Observability + 23, // 4: controlplane.config.v1.Bootstrap.credentials_service:type_name -> credentials.v1.Credentials + 12, // 5: controlplane.config.v1.Bootstrap.cas_server:type_name -> controlplane.config.v1.Bootstrap.CASServer + 9, // 6: controlplane.config.v1.Bootstrap.certificate_authority:type_name -> controlplane.config.v1.CA + 9, // 7: controlplane.config.v1.Bootstrap.certificate_authorities:type_name -> controlplane.config.v1.CA + 8, // 8: controlplane.config.v1.Bootstrap.timestamp_authorities:type_name -> controlplane.config.v1.TSA + 24, // 9: controlplane.config.v1.Bootstrap.onboarding:type_name -> controlplane.config.v1.OnboardingSpec + 10, // 10: controlplane.config.v1.Bootstrap.prometheus_integration:type_name -> controlplane.config.v1.PrometheusIntegrationSpec + 4, // 11: controlplane.config.v1.Bootstrap.policy_providers:type_name -> controlplane.config.v1.PolicyProvider + 13, // 12: controlplane.config.v1.Bootstrap.nats_server:type_name -> controlplane.config.v1.Bootstrap.NatsServer + 3, // 13: controlplane.config.v1.Bootstrap.federated_authentication:type_name -> controlplane.config.v1.FederatedAuthentication + 2, // 14: controlplane.config.v1.Bootstrap.operation_authorization_provider:type_name -> controlplane.config.v1.OperationAuthorizationProvider + 1, // 15: controlplane.config.v1.Bootstrap.attestations:type_name -> controlplane.config.v1.Attestations + 16, // 16: controlplane.config.v1.Server.http:type_name -> controlplane.config.v1.Server.HTTP + 18, // 17: controlplane.config.v1.Server.grpc:type_name -> controlplane.config.v1.Server.GRPC + 16, // 18: controlplane.config.v1.Server.http_metrics:type_name -> controlplane.config.v1.Server.HTTP + 19, // 19: controlplane.config.v1.Data.database:type_name -> controlplane.config.v1.Data.Database + 25, // 20: controlplane.config.v1.Auth.allow_list:type_name -> controlplane.config.v1.AllowList + 20, // 21: controlplane.config.v1.Auth.oidc:type_name -> controlplane.config.v1.Auth.OIDC + 21, // 22: controlplane.config.v1.CA.file_ca:type_name -> controlplane.config.v1.CA.FileCA + 22, // 23: controlplane.config.v1.CA.ejbca_ca:type_name -> controlplane.config.v1.CA.EJBCA + 14, // 24: controlplane.config.v1.Bootstrap.Observability.sentry:type_name -> controlplane.config.v1.Bootstrap.Observability.Sentry + 15, // 25: controlplane.config.v1.Bootstrap.Observability.tracing:type_name -> controlplane.config.v1.Bootstrap.Observability.Tracing + 18, // 26: controlplane.config.v1.Bootstrap.CASServer.grpc:type_name -> controlplane.config.v1.Server.GRPC + 26, // 27: controlplane.config.v1.Server.HTTP.timeout:type_name -> google.protobuf.Duration + 26, // 28: controlplane.config.v1.Server.GRPC.timeout:type_name -> google.protobuf.Duration + 17, // 29: controlplane.config.v1.Server.GRPC.tls_config:type_name -> controlplane.config.v1.Server.TLS + 26, // 30: controlplane.config.v1.Data.Database.max_conn_idle_time:type_name -> google.protobuf.Duration + 31, // [31:31] is the sub-list for method output_type + 31, // [31:31] is the sub-list for method input_type + 31, // [31:31] is the sub-list for extension type_name + 31, // [31:31] is the sub-list for extension extendee + 0, // [0:31] is the sub-list for field type_name } func init() { file_controlplane_config_v1_conf_proto_init() } @@ -2023,21 +1950,21 @@ func file_controlplane_config_v1_conf_proto_init() { if File_controlplane_config_v1_conf_proto != nil { return } - file_controlplane_config_v1_conf_proto_msgTypes[10].OneofWrappers = []any{ + file_controlplane_config_v1_conf_proto_msgTypes[9].OneofWrappers = []any{ (*CA_FileCa)(nil), (*CA_EjbcaCa)(nil), } - file_controlplane_config_v1_conf_proto_msgTypes[14].OneofWrappers = []any{ + file_controlplane_config_v1_conf_proto_msgTypes[13].OneofWrappers = []any{ (*Bootstrap_NatsServer_Token)(nil), } - file_controlplane_config_v1_conf_proto_msgTypes[16].OneofWrappers = []any{} + file_controlplane_config_v1_conf_proto_msgTypes[15].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_controlplane_config_v1_conf_proto_rawDesc), len(file_controlplane_config_v1_conf_proto_rawDesc)), NumEnums: 0, - NumMessages: 24, + NumMessages: 23, NumExtensions: 0, NumServices: 0, }, diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.proto b/app/controlplane/internal/conf/controlplane/config/v1/conf.proto index 0442ab0e4..1a04c8881 100644 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf.proto +++ b/app/controlplane/internal/conf/controlplane/config/v1/conf.proto @@ -35,8 +35,8 @@ message Bootstrap { // Plugins directory // NOTE: plugins have the form of chainloop-plugin- string plugins_dir = 7; - // Configuration about the shared referrer index - ReferrerSharedIndex referrer_shared_index = 8; + reserved 8; + reserved "referrer_shared_index"; // The certificate authority used for keyless signing (deprecated, use certificate_authorities instead) CA certificate_authority = 9 [deprecated = true]; @@ -170,17 +170,6 @@ message PolicyProvider { string url = 4; // Note. Validations not applied not to break compatibility with current deployments } -// Configuration used to enable a shared index API endpoint that can be used to discover metadata referrers -// To populate the shared index you need to enable the feature and configure the allowed orgs -// The reason to have an org allowList is to avoid leaking metadata from other organizations and set the stage for a trusted publisher model -message ReferrerSharedIndex { - // If the shared, public index feature is enabled - bool enabled = 1; - // list of organizations uuids that are allowed to appear in the shared referrer index - // think of it as a list of trusted publishers - repeated string allowed_orgs = 2; -} - message Server { message HTTP { string network = 1; diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf_test.go b/app/controlplane/internal/conf/controlplane/config/v1/conf_test.go deleted file mode 100644 index 3f6d14478..000000000 --- a/app/controlplane/internal/conf/controlplane/config/v1/conf_test.go +++ /dev/null @@ -1,75 +0,0 @@ -// -// Copyright 2023 The Chainloop Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package conf - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestValidateOrgs(t *testing.T) { - testCases := []struct { - name string - index *ReferrerSharedIndex - wantErrMsg string - }{ - { - name: "nil configuration", - index: nil, - }, - { - name: "enabled but without orgs", - index: &ReferrerSharedIndex{ - Enabled: true, - }, - wantErrMsg: "index is enabled, but no orgs are allowed", - }, - { - name: "enabled with invalid orgs", - index: &ReferrerSharedIndex{ - Enabled: true, - AllowedOrgs: []string{"invalid"}, - }, - wantErrMsg: "invalid org id: invalid", - }, - { - name: "with invalid orgs but disabled", - index: &ReferrerSharedIndex{ - Enabled: false, - AllowedOrgs: []string{"invalid"}, - }, - }, - { - name: "enabled with valid orgs", - index: &ReferrerSharedIndex{ - Enabled: true, - AllowedOrgs: []string{"00000000-0000-0000-0000-000000000000"}, - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - err := tc.index.ValidateOrgs() - if tc.wantErrMsg != "" { - assert.EqualError(t, err, tc.wantErrMsg) - } else { - assert.NoError(t, err) - } - }) - } -} diff --git a/app/controlplane/internal/dispatcher/dispatcher.go b/app/controlplane/internal/dispatcher/dispatcher.go index 925af4f41..07d3b5872 100644 --- a/app/controlplane/internal/dispatcher/dispatcher.go +++ b/app/controlplane/internal/dispatcher/dispatcher.go @@ -115,7 +115,7 @@ func (d *FanOutDispatcher) Run(ctx context.Context, opts *RunOpts) error { return fmt.Errorf("workflow not found") } - wfRun, err := d.wfRunUC.GetByIDInOrgOrPublic(ctx, opts.OrgID, opts.WorkflowRunID) + wfRun, err := d.wfRunUC.GetByIDInOrg(ctx, opts.OrgID, opts.WorkflowRunID) if err != nil { return fmt.Errorf("finding workflow: %w", err) } else if wfRun == nil { diff --git a/app/controlplane/internal/server/grpc.go b/app/controlplane/internal/server/grpc.go index f46a4d8f2..38711d932 100644 --- a/app/controlplane/internal/server/grpc.go +++ b/app/controlplane/internal/server/grpc.go @@ -102,7 +102,7 @@ type Opts struct { } var ( - currentUserSkipRegexp = regexp.MustCompile("(controlplane.v1.AttestationService/.*|controlplane.v1.StatusService/.*|controlplane.v1.ReferrerService/DiscoverPublicShared|controlplane.v1.AttestationStateService|controlplane.v1.SigningService)") + currentUserSkipRegexp = regexp.MustCompile("(controlplane.v1.AttestationService/.*|controlplane.v1.StatusService/.*|controlplane.v1.AttestationStateService|controlplane.v1.SigningService)") fullyConfiguredOrgSkipRegexp = regexp.MustCompile("controlplane.v1.OCIRepositoryService/.*|controlplane.v1.ContextService/Current|/controlplane.v1.OrganizationService/.*|/controlplane.v1.AuthService/DeleteAccount|controlplane.v1.CASBackendService/.*|/controlplane.v1.UserService/.*|controlplane.v1.SigningService/.*") fullyConfiguredCASBackendRequireRegexp = regexp.MustCompile("/controlplane.v1.AttestationService.GetUploadCreds|/controlplane.v1.AttestationService.Init|/controlplane.v1.AttestationService.Store|/controlplane.v1.CASCredentialsService.Get") allowListSkipRegexp = regexp.MustCompile("controlplane.v1.ContextService/Current|/controlplane.v1.AuthService/DeleteAccount") diff --git a/app/controlplane/internal/service/attestation.go b/app/controlplane/internal/service/attestation.go index bfeed5266..d42148509 100644 --- a/app/controlplane/internal/service/attestation.go +++ b/app/controlplane/internal/service/attestation.go @@ -263,7 +263,7 @@ func (s *AttestationService) Store(ctx context.Context, req *cpAPI.AttestationSe return nil, err } - wRun, err := s.wrUseCase.GetByIDInOrgOrPublic(ctx, robotAccount.OrgID, req.WorkflowRunId) + wRun, err := s.wrUseCase.GetByIDInOrg(ctx, robotAccount.OrgID, req.WorkflowRunId) if err != nil { return nil, handleUseCaseErr(err, s.log) } else if wRun == nil { @@ -441,7 +441,7 @@ func (s *AttestationService) Cancel(ctx context.Context, req *cpAPI.AttestationS return nil, err } - wRun, err := s.wrUseCase.GetByIDInOrgOrPublic(ctx, robotAccount.OrgID, req.WorkflowRunId) + wRun, err := s.wrUseCase.GetByIDInOrg(ctx, robotAccount.OrgID, req.WorkflowRunId) if err != nil { return nil, handleUseCaseErr(err, s.log) } else if wRun == nil { @@ -465,7 +465,7 @@ func (s *AttestationService) GetUploadCreds(ctx context.Context, req *cpAPI.Atte // Find the CAS backend associated with this workflowRun, that's the one that will be used to upload the materials // NOTE: currently we only support one backend per workflowRun but this will change in the future // This is the new mode, where the CAS backend ref is stored in the workflow run since initialization - wRun, err := s.wrUseCase.GetByIDInOrgOrPublic(ctx, robotAccount.OrgID, req.WorkflowRunId) + wRun, err := s.wrUseCase.GetByIDInOrg(ctx, robotAccount.OrgID, req.WorkflowRunId) if err != nil { return nil, handleUseCaseErr(err, s.log) } else if wRun == nil { diff --git a/app/controlplane/internal/service/referrer.go b/app/controlplane/internal/service/referrer.go index 9275d33c7..883aca7db 100644 --- a/app/controlplane/internal/service/referrer.go +++ b/app/controlplane/internal/service/referrer.go @@ -96,26 +96,6 @@ func (s *ReferrerService) DiscoverPrivate(ctx context.Context, req *pb.ReferrerS }, nil } -// DiscoverPublicShared implements the deprecated public shared index RPC, kept for backwards compatibility. -// -//nolint:staticcheck // the RPC is deprecated but still served -func (s *ReferrerService) DiscoverPublicShared(ctx context.Context, req *pb.DiscoverPublicSharedRequest) (*pb.DiscoverPublicSharedResponse, error) { - paginationOpts, err := referrerPaginationOptsFromProto(req.GetPagination()) - if err != nil { - return nil, err - } - - res, nextCursor, err := s.referrerUC.GetFromRootInPublicSharedIndex(ctx, req.GetDigest(), req.GetKind(), paginationOpts) - if err != nil { - return nil, handleUseCaseErr(err, s.log) - } - - return &pb.DiscoverPublicSharedResponse{ - Result: bizReferrerToPb(res), - Pagination: bizCursorToPb(nextCursor), - }, nil -} - // defaultReferrerPageSize is the page size applied when a referrer Discover* request // arrives without pagination. It deliberately overrides the package-wide // pagination.DefaultCursorLimit (10) because referrer responses render nested references @@ -144,7 +124,6 @@ func bizReferrerToPb(r *biz.StoredReferrer) *pb.ReferrerItem { item := &pb.ReferrerItem{ Digest: r.Digest, Downloadable: r.Downloadable, - Public: r.InPublicWorkflow, Kind: r.Kind, CreatedAt: timestamppb.New(*r.CreatedAt), Metadata: r.Metadata, diff --git a/app/controlplane/internal/service/workflow.go b/app/controlplane/internal/service/workflow.go index fd99d597d..808b8637c 100644 --- a/app/controlplane/internal/service/workflow.go +++ b/app/controlplane/internal/service/workflow.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -88,7 +88,6 @@ func (s *WorkflowService) Create(ctx context.Context, req *pb.WorkflowServiceCre ContractName: req.GetContractName(), ContractBytes: req.GetContractBytes(), Description: req.GetDescription(), - Public: req.GetPublic(), OrgRestrictContractCreationToAdmins: org.RestrictContractCreationToOrgAdmins, } @@ -143,7 +142,6 @@ func (s *WorkflowService) Update(ctx context.Context, req *pb.WorkflowServiceUpd updateOpts := &biz.WorkflowUpdateOpts{ Team: req.Team, - Public: req.Public, Description: req.Description, ContractID: contractID, } @@ -200,12 +198,6 @@ func (s *WorkflowService) List(ctx context.Context, req *pb.WorkflowServiceListR filters.WorkflowProjectNames = req.GetProjectNames() } - // Workflow visibility - if req.WorkflowPublic != nil { - val := req.GetWorkflowPublic() - filters.WorkflowPublic = &val - } - // Workflow Run Runner Type if req.GetWorkflowRunRunnerType() != schema.CraftingSchema_Runner_RUNNER_TYPE_UNSPECIFIED { filters.WorkflowRunRunnerType = req.GetWorkflowRunRunnerType().String() @@ -302,7 +294,7 @@ func (s *WorkflowService) View(ctx context.Context, req *pb.WorkflowServiceViewR func bizWorkflowToPb(wf *biz.Workflow) *pb.WorkflowItem { item := &pb.WorkflowItem{ Id: wf.ID.String(), Name: wf.Name, CreatedAt: timestamppb.New(*wf.CreatedAt), - Project: wf.Project, Team: wf.Team, RunsCount: int32(wf.RunsCounter), Public: wf.Public, + Project: wf.Project, Team: wf.Team, RunsCount: int32(wf.RunsCounter), Description: wf.Description, ContractRevisionLatest: int32(wf.ContractRevisionLatest), ContractName: wf.ContractName, ProjectId: wf.ProjectID.String(), diff --git a/app/controlplane/internal/service/workflowrun.go b/app/controlplane/internal/service/workflowrun.go index 1f9bf174b..973722218 100644 --- a/app/controlplane/internal/service/workflowrun.go +++ b/app/controlplane/internal/service/workflowrun.go @@ -254,12 +254,12 @@ func (s *WorkflowRunService) View(ctx context.Context, req *pb.WorkflowRunServic var run *biz.WorkflowRun switch { case req.GetId() != "": - run, err = s.wrUseCase.GetByIDInOrgOrPublic(ctx, currentOrg.ID, req.GetId()) + run, err = s.wrUseCase.GetByIDInOrg(ctx, currentOrg.ID, req.GetId()) if err != nil { return nil, handleUseCaseErr(err, s.log) } case req.GetDigest() != "": - run, err = s.wrUseCase.GetByDigestInOrgOrPublic(ctx, currentOrg.ID, req.GetDigest()) + run, err = s.wrUseCase.GetByDigestInOrg(ctx, currentOrg.ID, req.GetDigest()) if err != nil { return nil, handleUseCaseErr(err, s.log) } @@ -267,11 +267,9 @@ func (s *WorkflowRunService) View(ctx context.Context, req *pb.WorkflowRunServic return nil, errors.BadRequest("invalid", "id or digest required") } - // Apply RBAC only if workflow is not public - if !run.Workflow.Public { - if err = s.authorizeResource(ctx, authz.PolicyWorkflowRunRead, authz.ResourceTypeProject, run.Workflow.ProjectID); err != nil { - return nil, err - } + // Enforce project-scoped RBAC on the workflow run + if err = s.authorizeResource(ctx, authz.PolicyWorkflowRunRead, authz.ResourceTypeProject, run.Workflow.ProjectID); err != nil { + return nil, err } var verificationResult *pb.WorkflowRunServiceViewResponse_VerificationResult diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json index 8552d1535..06cedfd94 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated.json @@ -13,8 +13,7 @@ "workflow_name": "test-contract", "project_name": "test-project", "new_description": "test description", - "new_team": "test-team", - "new_public": true + "new_team": "test-team" }, - "Digest": "sha256:96de55711fafc04c5f2e7a0b6d6a40df835bde6c9dbe148b00f565b3915c2229" + "Digest": "sha256:b7804ee0d41dae80a6bdf51d265213641e31f95eeb1041314ec54dfe108460d7" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json index 5c14d7fb6..e4e660316 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_by_api_token.json @@ -13,8 +13,7 @@ "workflow_name": "test-contract", "project_name": "test-project", "new_description": "test description", - "new_team": "test-team", - "new_public": true + "new_team": "test-team" }, - "Digest": "sha256:fc33dee1b1a043d847a6c4c0d945f75d18508675569f43915a7149e9e756ad65" + "Digest": "sha256:8e7e749962224439f25efce9428336f94f2b77b384bfe5f0885208a0d203da94" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json index a1cdaad29..43c0c5a3a 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract.json @@ -14,9 +14,8 @@ "project_name": "test-project", "new_description": "test description", "new_team": "test-team", - "new_public": true, "new_workflow_contract_id": "1089bb36-e27b-428b-8009-d015c8737c54", "new_workflow_contract_name": "test-contract" }, - "Digest": "sha256:9e28ae18fa9d44faa4a6d072f928bd9b70bda9aded9abdcedc776819f4e638e7" + "Digest": "sha256:30cbab2d2e989f8026610e0e81c4b2602f4f68c2cb440a8bd40ef54a84f75883" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json index 5d70976d0..46777e0cd 100644 --- a/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json +++ b/app/controlplane/pkg/auditor/events/testdata/workflows/workflow_updated_with_workflow_contract_by_api_token.json @@ -14,9 +14,8 @@ "project_name": "test-project", "new_description": "test description", "new_team": "test-team", - "new_public": true, "new_workflow_contract_id": "1089bb36-e27b-428b-8009-d015c8737c54", "new_workflow_contract_name": "test-contract" }, - "Digest": "sha256:9e28ae18fa9d44faa4a6d072f928bd9b70bda9aded9abdcedc776819f4e638e7" + "Digest": "sha256:30cbab2d2e989f8026610e0e81c4b2602f4f68c2cb440a8bd40ef54a84f75883" } \ No newline at end of file diff --git a/app/controlplane/pkg/auditor/events/workflow.go b/app/controlplane/pkg/auditor/events/workflow.go index 2971c6d34..e335560e3 100644 --- a/app/controlplane/pkg/auditor/events/workflow.go +++ b/app/controlplane/pkg/auditor/events/workflow.go @@ -1,5 +1,5 @@ // -// Copyright 2025 The Chainloop Authors. +// Copyright 2025-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -69,7 +69,6 @@ type WorkflowCreated struct { WorkflowContractName string `json:"workflow_contract_name,omitempty"` WorkflowDescription *string `json:"description,omitempty"` Team *string `json:"team,omitempty"` - Public bool `json:"public,omitempty"` } func (w *WorkflowCreated) TargetID() *uuid.UUID { @@ -99,7 +98,6 @@ type WorkflowUpdated struct { *WorkflowBase NewDescription *string `json:"new_description,omitempty"` NewTeam *string `json:"new_team,omitempty"` - NewPublic *bool `json:"new_public,omitempty"` NewWorkflowContractID *uuid.UUID `json:"new_workflow_contract_id,omitempty"` NewWorkflowContractName *string `json:"new_workflow_contract_name,omitempty"` } diff --git a/app/controlplane/pkg/auditor/events/workflow_test.go b/app/controlplane/pkg/auditor/events/workflow_test.go index e45da3ce1..45ad8c246 100644 --- a/app/controlplane/pkg/auditor/events/workflow_test.go +++ b/app/controlplane/pkg/auditor/events/workflow_test.go @@ -1,5 +1,5 @@ // -// Copyright 2025 The Chainloop Authors. +// Copyright 2025-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -65,7 +65,6 @@ func TestWorkflowEvents(t *testing.T) { WorkflowContractName: wfContractName, WorkflowDescription: &wfDescription, Team: &newTeam, - Public: false, }, expected: "testdata/workflows/workflow_created.json", actor: auditor.ActorTypeUser, @@ -83,7 +82,6 @@ func TestWorkflowEvents(t *testing.T) { WorkflowContractName: wfContractName, WorkflowDescription: &wfDescription, Team: &newTeam, - Public: false, }, expected: "testdata/workflows/workflow_created_by_api_token.json", actor: auditor.ActorTypeAPIToken, @@ -99,7 +97,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), }, expected: "testdata/workflows/workflow_updated.json", actor: auditor.ActorTypeUser, @@ -115,7 +112,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), }, expected: "testdata/workflows/workflow_updated_by_api_token.json", actor: auditor.ActorTypeAPIToken, @@ -131,7 +127,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), NewWorkflowContractID: &wfContractUUID, NewWorkflowContractName: &wfContractName, }, @@ -149,7 +144,6 @@ func TestWorkflowEvents(t *testing.T) { }, NewDescription: &wfDescription, NewTeam: &newTeam, - NewPublic: boolPtr(true), NewWorkflowContractID: &wfContractUUID, NewWorkflowContractName: &wfContractName, }, @@ -220,7 +214,3 @@ func TestWorkflowEvents(t *testing.T) { }) } } - -func boolPtr(b bool) *bool { - return &b -} diff --git a/app/controlplane/pkg/authz/authz_consistency_test.go b/app/controlplane/pkg/authz/authz_consistency_test.go index 437126256..1be3b6062 100644 --- a/app/controlplane/pkg/authz/authz_consistency_test.go +++ b/app/controlplane/pkg/authz/authz_consistency_test.go @@ -70,7 +70,6 @@ var authzExemptProcedures = map[string]struct{}{ "/controlplane.v1.SigningService/GetTrustedRoot": {}, "/controlplane.v1.StatusService/Infoz": {}, "/controlplane.v1.StatusService/Statusz": {}, - "/controlplane.v1.ReferrerService/DiscoverPublicShared": {}, } // adminOnlyProcedures lists controlplane.v1 procedures that reach the authorization middleware but diff --git a/app/controlplane/pkg/biz/casmapping.go b/app/controlplane/pkg/biz/casmapping.go index d2d76c0d7..2cc2ad3ff 100644 --- a/app/controlplane/pkg/biz/casmapping.go +++ b/app/controlplane/pkg/biz/casmapping.go @@ -36,9 +36,7 @@ type CASMapping struct { CASBackend *CASBackend Digest string CreatedAt *time.Time - // A public mapping means that the material/attestation can be downloaded by anyone - Public bool - ProjectID uuid.UUID + ProjectID uuid.UUID } type CASMappingFindOptions struct { @@ -52,9 +50,6 @@ type CASMappingRepo interface { // FindByDigestInOrgs returns a single accessible mapping for the digest within the given orgs // (honouring project RBAC), preferring the default backend. Returns (nil, nil) when none exists. FindByDigestInOrgs(ctx context.Context, digest string, orgs []uuid.UUID, projectIDs map[uuid.UUID][]uuid.UUID) (*CASMapping, error) - // FindPublicByDigest returns a single public mapping for the digest, preferring the default - // backend. Returns (nil, nil) when no public mapping exists. - FindPublicByDigest(ctx context.Context, digest string) (*CASMapping, error) } type CASMappingUseCase struct { @@ -91,10 +86,8 @@ func (uc *CASMappingUseCase) Create(ctx context.Context, digest string, casBacke } // FindCASMappingForDownloadByUser returns the CASMapping appropriate for the given digest and user. -// This means, in order: -// 1 - Any mapping that points to an organization which the user is member of. -// 1.1 If there are multiple mappings, it will pick the default one or the first one. -// 2 - Any mapping that is public. +// It returns a mapping that points to an organization the user is a member of (honoring project +// RBAC); if there are multiple, it picks the default one or the first one. func (uc *CASMappingUseCase) FindCASMappingForDownloadByUser(ctx context.Context, digest string, userID string) (*CASMapping, error) { ctx, span := otelx.Start(ctx, casMappingTracer, "CASMappingUseCase.FindCASMappingForDownloadByUser") defer span.End() @@ -132,7 +125,7 @@ func (uc *CASMappingUseCase) FindCASMappingForDownloadByOrg(ctx context.Context, // log the result defer func() { if result != nil { - uc.logger.Infow("msg", "mapping found!", "digest", digest, "orgs", orgs, "casBackend", result.CASBackend.ID, "default", result.CASBackend.Default, "public", result.Public) + uc.logger.Infow("msg", "mapping found!", "digest", digest, "orgs", orgs, "casBackend", result.CASBackend.ID, "default", result.CASBackend.Default) } else if err == nil || IsNotFound(err) { uc.logger.Infow("msg", "no mapping found!", "digest", digest, "orgs", orgs) } @@ -142,23 +135,14 @@ func (uc *CASMappingUseCase) FindCASMappingForDownloadByOrg(ctx context.Context, return nil, NewErrValidationStr("no organizations provided") } - // 1 - A mapping reachable through one of the user's orgs (honouring project RBAC), selected and + // A mapping reachable through one of the user's orgs (honouring project RBAC), selected and // bounded in the database. This is the common path and stays cheap regardless of how many // mappings a digest has accumulated. mapping, err := uc.repo.FindByDigestInOrgs(ctx, digest, orgs, projectIDs) if err != nil { return nil, fmt.Errorf("failed to find cas mapping in orgs: %w", err) - } else if mapping != nil { - return mapping, nil - } - - // 2 - Otherwise, fall back to a public mapping. This only runs when the requester has no - // org-level access to the digest. - mapping, err = uc.repo.FindPublicByDigest(ctx, digest) - if err != nil { - return nil, fmt.Errorf("failed to find public cas mapping: %w", err) } else if mapping == nil { - uc.logger.Warnw("msg", "digest exist but user does not have access to it", "digest", digest, "orgs", orgs) + uc.logger.Warnw("msg", "digest not accessible to the requesting orgs", "digest", digest, "orgs", orgs) return nil, NewErrNotFound("digest not found in any mapping") } diff --git a/app/controlplane/pkg/biz/casmapping_integration_test.go b/app/controlplane/pkg/biz/casmapping_integration_test.go index 42a5ccb74..909dce304 100644 --- a/app/controlplane/pkg/biz/casmapping_integration_test.go +++ b/app/controlplane/pkg/biz/casmapping_integration_test.go @@ -81,11 +81,11 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadUser() { s.Nil(mapping) }) - s.Run("userOrg1And2 can download validDigestPublic from org3", func() { + s.Run("userOrg1And2 can not download validDigestPublic from org3", func() { + // Cross-org download is no longer possible: access is granted through org membership only. mapping, err := s.CASMapping.FindCASMappingForDownloadByUser(context.TODO(), validDigestPublic, s.userOrg1And2.ID) - s.NoError(err) - s.NotNil(mapping) - s.Equal(s.casBackend3.ID, mapping.CASBackend.ID) + s.Error(err) + s.Nil(mapping) }) s.Run("userOrg2 can download validDigest2 from org2", func() { @@ -95,11 +95,10 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadUser() { s.Equal(s.casBackend2.ID, mapping.CASBackend.ID) }) - s.Run("userOrg2 can download validDigestPublic from org3", func() { + s.Run("userOrg2 can not download validDigestPublic from org3", func() { mapping, err := s.CASMapping.FindCASMappingForDownloadByUser(context.TODO(), validDigestPublic, s.userOrg2.ID) - s.NoError(err) - s.NotNil(mapping) - s.Equal(s.casBackend3.ID, mapping.CASBackend.ID) + s.Error(err) + s.Nil(mapping) }) s.Run("userOrg2 can download validDigest from org2", func() { @@ -133,11 +132,10 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadByOrg() { s.Equal(s.casBackend1.ID, mapping.CASBackend.ID) }) - s.Run("validDigestPublic is available from any org", func() { + s.Run("validDigestPublic is not available from an unrelated org", func() { mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigestPublic, []uuid.UUID{uuid.New()}, nil) - s.NoError(err) - s.NotNil(mapping) - s.Equal(s.casBackend3.ID, mapping.CASBackend.ID) + s.Error(err) + s.Nil(mapping) }) s.Run("validDigestWithoutRun is available only to org 3", func() { @@ -191,20 +189,6 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadPrefersDefaultBack s.Require().NotNil(mapping) s.Equal(nonDefaultBackend.ID, mapping.CASBackend.ID) }) - - s.Run("public download returns the default backend even when it is mapped last", func() { - // Public mappings (workflow is public) across two backends, non-default created first. - _, err := s.CASMapping.Create(ctx, validDigestPublic, nonDefaultBackend.ID.String(), &biz.CASMappingCreateOpts{WorkflowRunID: &s.publicWorkflowRun.ID}) - require.NoError(s.T(), err) - _, err = s.CASMapping.Create(ctx, validDigestPublic, s.casBackend1.ID.String(), &biz.CASMappingCreateOpts{WorkflowRunID: &s.publicWorkflowRun.ID}) - require.NoError(s.T(), err) - - // A requester with no access to org1 falls back to the public mappings. - mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigestPublic, []uuid.UUID{uuid.New()}, nil) - s.NoError(err) - s.Require().NotNil(mapping) - s.Equal(s.casBackend1.ID, mapping.CASBackend.ID) - }) } // When RBAC is enabled for an org (projectIDs carries an entry for it), only mappings whose project @@ -266,23 +250,6 @@ func (s *casMappingIntegrationSuite) TestCASMappingForDownloadSkipsSoftDeleted() s.Error(err) s.Nil(mapping) }) - - s.Run("public download skips a mapping whose workflow is soft-deleted", func() { - _, err := s.CASMapping.Create(ctx, validDigest2, s.casBackend1.ID.String(), &biz.CASMappingCreateOpts{WorkflowRunID: &s.publicWorkflowRun.ID}) - require.NoError(s.T(), err) - - // A non-member can reach it through the public fallback while the workflow is public. - mapping, err := s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigest2, []uuid.UUID{uuid.New()}, nil) - s.NoError(err) - s.Require().NotNil(mapping) - - require.NoError(s.T(), s.Workflow.Delete(ctx, s.org1.ID, s.publicWorkflow.ID.String())) - - // Once the workflow is soft-deleted the mapping is no longer public. - mapping, err = s.CASMapping.FindCASMappingForDownloadByOrg(ctx, validDigest2, []uuid.UUID{uuid.New()}, nil) - s.Error(err) - s.Nil(mapping) - }) } func (s *casMappingIntegrationSuite) TestCreate() { @@ -292,7 +259,6 @@ func (s *casMappingIntegrationSuite) TestCreate() { casBackendID uuid.UUID workflowRunID *uuid.UUID wantErr bool - wantPublic bool }{ { name: "valid", @@ -335,17 +301,15 @@ func (s *casMappingIntegrationSuite) TestCreate() { wantErr: true, }, { - name: "public workflowrun", + name: "associated to a workflowrun", digest: validDigest, casBackendID: s.casBackend1.ID, workflowRunID: biz.ToPtr(s.publicWorkflowRun.ID), - wantPublic: true, }, { name: "not associated to any workflowrun", digest: validDigest, casBackendID: s.casBackend1.ID, - wantPublic: false, }, } @@ -354,7 +318,6 @@ func (s *casMappingIntegrationSuite) TestCreate() { Digest: validDigest, CASBackend: &biz.CASBackend{ID: s.casBackend1.ID}, OrgID: s.casBackend1.OrganizationID, - Public: tc.wantPublic, } if tc.workflowRunID != nil { @@ -425,7 +388,7 @@ func (s *casMappingIntegrationSuite) SetupTest() { s.projectID = workflow.ProjectID - publicWorkflow, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-workflow-public", OrgID: s.org1.ID, Public: true, Project: "test-project"}) + publicWorkflow, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-workflow-public", OrgID: s.org1.ID, Project: "test-project"}) assert.NoError(err) s.publicWorkflow = publicWorkflow diff --git a/app/controlplane/pkg/biz/casmapping_test.go b/app/controlplane/pkg/biz/casmapping_test.go index 5bb757128..3b0b81a64 100644 --- a/app/controlplane/pkg/biz/casmapping_test.go +++ b/app/controlplane/pkg/biz/casmapping_test.go @@ -72,7 +72,6 @@ func (s *casMappingSuite) TestCreate() { CASBackend: &biz.CASBackend{ID: validUUID}, WorkflowRunID: validUUID, OrgID: validUUID, - Public: false, } // Mock successful repo call diff --git a/app/controlplane/pkg/biz/mocks/CASMappingRepo.go b/app/controlplane/pkg/biz/mocks/CASMappingRepo.go index 55639e8e3..6b36c85f9 100644 --- a/app/controlplane/pkg/biz/mocks/CASMappingRepo.go +++ b/app/controlplane/pkg/biz/mocks/CASMappingRepo.go @@ -198,71 +198,3 @@ func (_c *CASMappingRepo_FindByDigestInOrgs_Call) RunAndReturn(run func(ctx cont _c.Call.Return(run) return _c } - -// FindPublicByDigest provides a mock function for the type CASMappingRepo -func (_mock *CASMappingRepo) FindPublicByDigest(ctx context.Context, digest string) (*biz.CASMapping, error) { - ret := _mock.Called(ctx, digest) - - if len(ret) == 0 { - panic("no return value specified for FindPublicByDigest") - } - - var r0 *biz.CASMapping - var r1 error - if returnFunc, ok := ret.Get(0).(func(context.Context, string) (*biz.CASMapping, error)); ok { - return returnFunc(ctx, digest) - } - if returnFunc, ok := ret.Get(0).(func(context.Context, string) *biz.CASMapping); ok { - r0 = returnFunc(ctx, digest) - } else { - if ret.Get(0) != nil { - r0 = ret.Get(0).(*biz.CASMapping) - } - } - if returnFunc, ok := ret.Get(1).(func(context.Context, string) error); ok { - r1 = returnFunc(ctx, digest) - } else { - r1 = ret.Error(1) - } - return r0, r1 -} - -// CASMappingRepo_FindPublicByDigest_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindPublicByDigest' -type CASMappingRepo_FindPublicByDigest_Call struct { - *mock.Call -} - -// FindPublicByDigest is a helper method to define mock.On call -// - ctx context.Context -// - digest string -func (_e *CASMappingRepo_Expecter) FindPublicByDigest(ctx interface{}, digest interface{}) *CASMappingRepo_FindPublicByDigest_Call { - return &CASMappingRepo_FindPublicByDigest_Call{Call: _e.mock.On("FindPublicByDigest", ctx, digest)} -} - -func (_c *CASMappingRepo_FindPublicByDigest_Call) Run(run func(ctx context.Context, digest string)) *CASMappingRepo_FindPublicByDigest_Call { - _c.Call.Run(func(args mock.Arguments) { - var arg0 context.Context - if args[0] != nil { - arg0 = args[0].(context.Context) - } - var arg1 string - if args[1] != nil { - arg1 = args[1].(string) - } - run( - arg0, - arg1, - ) - }) - return _c -} - -func (_c *CASMappingRepo_FindPublicByDigest_Call) Return(cASMapping *biz.CASMapping, err error) *CASMappingRepo_FindPublicByDigest_Call { - _c.Call.Return(cASMapping, err) - return _c -} - -func (_c *CASMappingRepo_FindPublicByDigest_Call) RunAndReturn(run func(ctx context.Context, digest string) (*biz.CASMapping, error)) *CASMappingRepo_FindPublicByDigest_Call { - _c.Call.Return(run) - return _c -} diff --git a/app/controlplane/pkg/biz/referrer.go b/app/controlplane/pkg/biz/referrer.go index 48c6022db..c607d7e9e 100644 --- a/app/controlplane/pkg/biz/referrer.go +++ b/app/controlplane/pkg/biz/referrer.go @@ -23,7 +23,6 @@ import ( "sort" "time" - conf "github.com/chainloop-dev/chainloop/app/controlplane/internal/conf/controlplane/config/v1" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/pagination" v2 "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/api/attestation/v1" "github.com/chainloop-dev/chainloop/pkg/attestation/renderer/chainloop" @@ -43,44 +42,17 @@ type ReferrerUseCase struct { membershipUseCase *MembershipUseCase workflowRepo WorkflowRepo logger *log.Helper - indexConfig *ReferrerSharedIndexConfig } -type ReferrerSharedIndexConfig struct { - Enabled bool - AllowedOrgs []string -} - -func NewIndexConfig(cfg *conf.ReferrerSharedIndex) (*ReferrerSharedIndexConfig, error) { - // referrer shared index is optional, if not configured, it's disabled - if cfg == nil { - return nil, nil - } - - if err := cfg.ValidateOrgs(); err != nil { - return nil, fmt.Errorf("invalid shared index config: %w", err) - } - - return &ReferrerSharedIndexConfig{ - Enabled: cfg.Enabled, - AllowedOrgs: cfg.AllowedOrgs, - }, nil -} - -func NewReferrerUseCase(repo ReferrerRepo, wfRepo WorkflowRepo, membershipUseCase *MembershipUseCase, indexCfg *ReferrerSharedIndexConfig, l log.Logger) (*ReferrerUseCase, error) { +func NewReferrerUseCase(repo ReferrerRepo, wfRepo WorkflowRepo, membershipUseCase *MembershipUseCase, l log.Logger) (*ReferrerUseCase, error) { if l == nil { l = log.NewStdLogger(io.Discard) } logger := servicelogger.ScopedHelper(l, "biz/referrer") - if indexCfg != nil && indexCfg.Enabled { - logger.Infow("msg", "shared index enabled", "allowedOrgs", indexCfg.AllowedOrgs) - } - return &ReferrerUseCase{ repo: repo, membershipUseCase: membershipUseCase, - indexConfig: indexCfg, workflowRepo: wfRepo, logger: logger, }, nil @@ -104,9 +76,7 @@ type Referrer struct { Kind string // Wether the item is downloadable from CAS or not Downloadable bool - // If this referrer is part of a public workflow - InPublicWorkflow bool - References []*Referrer + References []*Referrer Metadata, Annotations map[string]string } @@ -127,8 +97,6 @@ type ProjectID = uuid.UUID type GetFromRootFilters struct { // RootKind is the kind of the root referrer, i.e ATTESTATION RootKind *string - // Wether to filter by visibility or not - Public *bool // ProjectIDs stores visible projects by org for the requesting user. // If an org entry doesn't exist, it means that RBAC is not applied, hence all projects in that org are visible ProjectIDs map[OrgID][]ProjectID @@ -162,12 +130,6 @@ func WithVisibleProjectIDs(projectIDs map[OrgID][]ProjectID) func(*GetFromRootFi } } -func WithPublicVisibility(public bool) func(*GetFromRootFilters) { - return func(o *GetFromRootFilters) { - o.Public = &public - } -} - // ExtractAndPersist extracts the referrers (subject + materials) from the given attestation // and store it as part of the referrers index table func (s *ReferrerUseCase) ExtractAndPersist(ctx context.Context, att *dsse.Envelope, digest cr_v1.Hash, workflowID string) error { @@ -215,9 +177,8 @@ func (s *ReferrerUseCase) GetFromRootUser(ctx context.Context, digest, rootKind, return nil, "", err } - // We pass the list of organizationsIDs from where to look for the referrer - // For now we just pass the list of organizations the user is member of - // in the future we will expand this to publicly available orgs and so on. + // We pass the list of organizationsIDs from where to look for the referrer: + // the organizations the user is a member of. return s.GetFromRoot(ctx, digest, rootKind, userOrgs, projectIDs, p, extraFilters...) } @@ -248,47 +209,6 @@ func (s *ReferrerUseCase) GetFromRoot(ctx context.Context, digest, rootKind stri return ref, nextCursor, nil } -// Get the list of public referrers from organizations -// that have been allowed to be shown in a shared index -// NOTE: This is a public endpoint under /discover/[sha256:deadbeef] -func (s *ReferrerUseCase) GetFromRootInPublicSharedIndex(ctx context.Context, digest, rootKind string, p *pagination.CursorOptions) (*StoredReferrer, string, error) { - ctx, span := otelx.Start(ctx, referrerTracer, "ReferrerUseCase.GetFromRootInPublicSharedIndex") - defer span.End() - - if s.indexConfig == nil || !s.indexConfig.Enabled { - return nil, "", NewErrUnauthorizedStr("shared referrer index functionality is not enabled") - } - - // Load the organizations that are allowed to appear in the shared index - orgIDs := make([]uuid.UUID, 0) - for _, orgID := range s.indexConfig.AllowedOrgs { - orgUUID, err := uuid.Parse(orgID) - if err != nil { - return nil, "", NewErrInvalidUUID(err) - } - orgIDs = append(orgIDs, orgUUID) - } - - // and ask only for the public referrers of those orgs - filters := []GetFromRootFilter{WithPublicVisibility(true)} - if rootKind != "" { - filters = append(filters, WithKind(rootKind)) - } - - ref, nextCursor, err := s.repo.GetFromRoot(ctx, digest, orgIDs, p, filters...) - if err != nil { - if errors.As(err, &ErrAmbiguousReferrer{}) { - return nil, "", NewErrValidation(fmt.Errorf("please provide the referrer kind: %w", err)) - } - - return nil, "", fmt.Errorf("getting referrer from root: %w", err) - } else if ref == nil { - return nil, "", NewErrNotFound(fmt.Sprintf("artifact or piece of evidence with digest %s", digest)) - } - - return ref, nextCursor, nil -} - const ( // ReferrerAttestationType is the kind of the referrer that represents an attestation. ReferrerAttestationType = "ATTESTATION" diff --git a/app/controlplane/pkg/biz/referrer_integration_test.go b/app/controlplane/pkg/biz/referrer_integration_test.go index ad62e12ef..e73eb6207 100644 --- a/app/controlplane/pkg/biz/referrer_integration_test.go +++ b/app/controlplane/pkg/biz/referrer_integration_test.go @@ -18,8 +18,6 @@ package biz_test import ( "bytes" "context" - "encoding/json" - "os" "strings" "sync" "testing" @@ -32,91 +30,11 @@ import ( creds "github.com/chainloop-dev/chainloop/pkg/credentials/mocks" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/uuid" - "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" ) -func (s *referrerIntegrationTestSuite) TestGetFromRootInPublicSharedIndex() { - // Load attestation - attJSON, err := os.ReadFile("testdata/attestations/with-git-subject.json") - require.NoError(s.T(), err) - var envelope *dsse.Envelope - require.NoError(s.T(), json.Unmarshal(attJSON, &envelope)) - h, _, err := v1.SHA256(bytes.NewReader(attJSON)) - require.NoError(s.T(), err) - wantReferrerAtt := &biz.Referrer{ - Digest: h.String(), - Kind: "ATTESTATION", - Downloadable: true, - } - - // We'll store the attestation in the private only index - ctx := context.Background() - s.Run("public endpoint fails if feature not enabled", func() { - _, _, err := s.Referrer.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.ErrorContains(err, "not enabled") - }) - - s.Run("storing it associated with a private workflow keeps it private and not in the index", func() { - err = s.sharedEnabledUC.ExtractAndPersist(ctx, envelope, h, s.workflow1.ID.String()) - require.NoError(s.T(), err) - ref, _, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) - s.NoError(err) - s.False(ref.InPublicWorkflow) - res, _, err := s.sharedEnabledUC.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.True(biz.IsNotFound(err)) - s.Nil(res) - }) - - s.T().Run("storing it associated with a public workflow but not allowed org keeps it out of the index", func(t *testing.T) { - // Make workflow2 public - _, err := s.Workflow.Update(ctx, s.org2.ID, s.workflow2.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(t, err) - - err = s.sharedEnabledUC.ExtractAndPersist(ctx, envelope, h, s.workflow2.ID.String()) - require.NoError(s.T(), err) - // It's marked as public in the internal index - ref, _, err := s.sharedEnabledUC.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) - s.NoError(err) - s.True(ref.InPublicWorkflow) - - // But it's not in the public shared index because the org 2 is not whitelisted - res, _, err := s.sharedEnabledUC.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.True(biz.IsNotFound(err)) - s.Nil(res) - }) - - s.T().Run("it should appear if we whitelist org2", func(t *testing.T) { - uc, err := biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Membership, - &biz.ReferrerSharedIndexConfig{ - Enabled: true, - AllowedOrgs: []string{s.org2.ID}, - }, nil) - require.NoError(t, err) - // Now it's public since org2 is whitelisted - res, _, err := uc.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.NoError(err) - s.Equal(wantReferrerAtt.Digest, res.Digest) - }) - - s.T().Run("or we can make the workflow 1 public", func(t *testing.T) { - // reset workflow2 to private - _, err := s.Workflow.Update(ctx, s.org2.ID, s.workflow2.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(false)}) - require.NoError(t, err) - // Make workflow1 public - _, err = s.Workflow.Update(ctx, s.org1.ID, s.workflow1.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(t, err) - err = s.sharedEnabledUC.ExtractAndPersist(ctx, envelope, h, s.workflow2.ID.String()) - require.NoError(s.T(), err) - // Now it's public since org1 is whitelisted - res, _, err := s.sharedEnabledUC.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "", nil) - s.NoError(err) - s.Equal(wantReferrerAtt.Digest, res.Digest) - }) -} - func (s *referrerIntegrationTestSuite) TestExtractAndPersistsDependentAttestation() { envelope, attJSON := testEnvelope(s.T(), "testdata/attestations/with-dependent-attestation.json") h, _, err := v1.SHA256(bytes.NewReader(attJSON)) @@ -407,27 +325,10 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() { s.Contains(gotDigests, "sha256:5f4d1baadaf3e439f769f11c7ba0c5f77dad27d00689144d1311b48e65818bbd") }) - s.T().Run("if all associated workflows are private, the referrer is private", func(t *testing.T) { + s.T().Run("returns the associated workflow IDs", func(_ *testing.T) { got, _, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) s.NoError(err) - s.False(got.InPublicWorkflow) s.Equal([]uuid.UUID{s.workflow2.ID, s.workflow1.ID}, got.WorkflowIDs) - for _, r := range got.References { - s.False(r.InPublicWorkflow) - } - }) - - s.T().Run("the referrer will be public if one associated workflow is public", func(t *testing.T) { - // Make workflow1 public - _, err := s.Workflow.Update(ctx, s.org1.ID, s.workflow1.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(t, err) - - got, _, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID, nil) - s.NoError(err) - s.True(got.InPublicWorkflow) - for _, r := range got.References { - s.True(r.InPublicWorkflow) - } }) } @@ -668,36 +569,6 @@ func (s *referrerIntegrationTestSuite) TestGetFromRootProjectVersionFilter() { s.Equal(sbomDigest, got.Digest) }) - s.Run("public workflow stays visible under the version filter regardless of RBAC", func() { - // A workflow whose project is NOT in the caller's RBAC-visible set, but which is public — - // matching isReferrerVisible's InPublicWorkflow short-circuit. The version filter must - // honor the same convention or it silently hides referrers that are otherwise visible. - wfPublic, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{ - Name: "wf-public", Team: "team", OrgID: s.org1.ID, Project: "public-proj", - }) - require.NoError(s.T(), err) - _, err = s.Workflow.Update(ctx, s.org1.ID, wfPublic.ID.String(), &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}) - require.NoError(s.T(), err) - require.NoError(s.T(), s.Referrer.ExtractAndPersist(ctx, envelope, h, wfPublic.ID.String())) - - contractPublic, err := s.WorkflowContract.Describe(ctx, s.org1.ID, wfPublic.ContractID.String(), 0) - require.NoError(s.T(), err) - runPublic, err := s.WorkflowRun.Create(ctx, &biz.WorkflowRunCreateOpts{ - WorkflowID: wfPublic.ID.String(), ContractRevision: contractPublic, CASBackendID: casBackend.ID, - ProjectVersion: "v1.0.0", - }) - require.NoError(s.T(), err) - require.NoError(s.T(), s.Repos.WorkflowRunRepo.SaveAttestationDigest(ctx, runPublic.ID, h.String(), false)) - - // RBAC restricts the caller to project "test" — "public-proj" is NOT in their set. - rbac := map[biz.OrgID][]biz.ProjectID{s.org1UUID: {s.workflow1.ProjectID}} - - got, _, err := s.Referrer.GetFromRoot(ctx, sbomDigest, "", []uuid.UUID{s.org1UUID}, rbac, nil, biz.WithProjectScope("public-proj", "v1.0.0")) - s.NoError(err, "public workflow must remain discoverable even when RBAC excludes its project") - s.Require().NotNil(got) - s.Equal(sbomDigest, got.Digest) - }) - s.Run("material root cannot bypass version scoping by supplying a cursor", func() { // A second project version whose run points to an unrelated attestation digest, so the // SBOM (only referenced by the v1.0.0 attestation) does not belong to it. @@ -724,7 +595,6 @@ type referrerIntegrationTestSuite struct { workflow1, workflow2 *biz.Workflow org1UUID, org2UUID uuid.UUID user, user2 *biz.User - sharedEnabledUC *biz.ReferrerUseCase run *biz.WorkflowRun } @@ -765,13 +635,6 @@ func (s *referrerIntegrationTestSuite) SetupTest() { _, err = s.Membership.Create(ctx, s.org2.ID, s.user2.ID, biz.WithCurrentMembership()) require.NoError(s.T(), err) - s.sharedEnabledUC, err = biz.NewReferrerUseCase(s.Repos.Referrer, s.Repos.Workflow, s.Membership, - &biz.ReferrerSharedIndexConfig{ - Enabled: true, - AllowedOrgs: []string{s.org1.ID}, - }, nil) - require.NoError(s.T(), err) - // Find contract revision contractVersion, err := s.WorkflowContract.Describe(ctx, s.org1.ID, s.workflow1.ContractID.String(), 0) require.NoError(s.T(), err) diff --git a/app/controlplane/pkg/biz/referrer_test.go b/app/controlplane/pkg/biz/referrer_test.go index 50772bdf9..9399bb97f 100644 --- a/app/controlplane/pkg/biz/referrer_test.go +++ b/app/controlplane/pkg/biz/referrer_test.go @@ -1,5 +1,5 @@ // -// Copyright 2024-2025 The Chainloop Authors. +// Copyright 2024-2026 The Chainloop Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -23,47 +23,10 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" ) -func (s *referrerTestSuite) TestInitialization() { - testCases := []struct { - name string - conf *ReferrerSharedIndexConfig - wantErrMsg string - }{ - { - name: "nil configuration", - }, - { - name: "disabled", - conf: &ReferrerSharedIndexConfig{ - Enabled: false, - }, - }, - { - name: "enabled with valid orgs", - conf: &ReferrerSharedIndexConfig{ - Enabled: true, - AllowedOrgs: []string{"00000000-0000-0000-0000-000000000000"}, - }, - }, - } - - for _, tc := range testCases { - s.T().Run(tc.name, func(t *testing.T) { - _, err := NewReferrerUseCase(nil, nil, nil, tc.conf, nil) - if tc.wantErrMsg != "" { - assert.EqualError(t, err, tc.wantErrMsg) - } else { - assert.NoError(t, err) - } - }) - } -} - func (s *referrerTestSuite) TestExtractReferrers() { var fullAttReferrer = &Referrer{ Digest: "sha256:63f811807585a7359882fc4e28bc8e08555d9743aa07a2965217b30ef2ba14a5", diff --git a/app/controlplane/pkg/biz/testhelpers/wire.go b/app/controlplane/pkg/biz/testhelpers/wire.go index 0149de519..6af7e31ba 100644 --- a/app/controlplane/pkg/biz/testhelpers/wire.go +++ b/app/controlplane/pkg/biz/testhelpers/wire.go @@ -50,7 +50,6 @@ func WireTestData(context.Context, *TestDatabase, *testing.T, log.Logger, creden wire.Build( data.ProviderSet, biz.ProviderSet, - wire.Value(&conf.ReferrerSharedIndex{}), wire.Struct(new(TestingUseCases), "*"), wire.Struct(new(TestingRepos), "*"), NewConfData, @@ -67,7 +66,6 @@ func WireTestData(context.Context, *TestDatabase, *testing.T, log.Logger, creden newJWTConfig, authzConfig, authzUseCaseConfig, - biz.NewIndexConfig, newAttestationBundleCache, newNilCASClient, newNoopTracerProvider, diff --git a/app/controlplane/pkg/biz/testhelpers/wire_gen.go b/app/controlplane/pkg/biz/testhelpers/wire_gen.go index a4cad431c..187fea5ee 100644 --- a/app/controlplane/pkg/biz/testhelpers/wire_gen.go +++ b/app/controlplane/pkg/biz/testhelpers/wire_gen.go @@ -148,13 +148,7 @@ func WireTestData(contextContext context.Context, testDatabase *TestDatabase, t return nil, nil, err } referrerRepo := data.NewReferrerRepo(dataData, workflowRepo, logger) - referrerSharedIndex := _wireReferrerSharedIndexValue - referrerSharedIndexConfig, err := biz.NewIndexConfig(referrerSharedIndex) - if err != nil { - cleanup() - return nil, nil, err - } - referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, referrerSharedIndexConfig, logger) + referrerUseCase, err := biz.NewReferrerUseCase(referrerRepo, workflowRepo, membershipUseCase, logger) if err != nil { cleanup() return nil, nil, err @@ -218,10 +212,6 @@ func WireTestData(contextContext context.Context, testDatabase *TestDatabase, t }, nil } -var ( - _wireReferrerSharedIndexValue = &conf.ReferrerSharedIndex{} -) - // wire.go: func newAttestationBundleCache() *attestationbundle.Cache { diff --git a/app/controlplane/pkg/biz/workflow.go b/app/controlplane/pkg/biz/workflow.go index f869a5ad2..755f1c225 100644 --- a/app/controlplane/pkg/biz/workflow.go +++ b/app/controlplane/pkg/biz/workflow.go @@ -42,11 +42,7 @@ type Workflow struct { ContractName string // Latest available contract revision ContractRevisionLatest int - // Public means that the associated workflow runs, attestations and materials - // are reachable by other users, regardless of their organization - // This field is also used to calculate if an user can download attestations/materials from the CAS - Public bool - ProjectID uuid.UUID + ProjectID uuid.UUID // WorkflowTemplateID references the platform workflow template this workflow was created from WorkflowTemplateID *uuid.UUID } @@ -78,9 +74,6 @@ type WorkflowCreateOpts struct { ContractBytes []byte // DetectedContract is the detected contract from the contract bytes DetectedContract *Contract - // Public means that the associated workflow runs, attestations and materials - // are reachable by other users, regardless of their organization - Public bool // Owner identifies the user to be marked as owner of the project Owner *uuid.UUID @@ -96,7 +89,6 @@ type WorkflowCreateOpts struct { type WorkflowUpdateOpts struct { Team, Description, ContractID *string - Public *bool } // WorkflowListOpts is the options to filter the list of workflows @@ -109,8 +101,6 @@ type WorkflowListOpts struct { WorkflowTeam string // WorkflowProjectNames is the project name of the workflow WorkflowProjectNames []string - // WorkflowPublic is the flag to filter public workflows - WorkflowPublic *bool // WorkflowActiveWindow is the active window of the workflow WorkflowRunRunnerType string // WorkflowActiveWindow is the active window of the workflow @@ -241,7 +231,6 @@ func (uc *WorkflowUseCase) Create(ctx context.Context, opts *WorkflowCreateOpts) WorkflowContractName: wf.ContractName, WorkflowDescription: &opts.Description, Team: &opts.Team, - Public: opts.Public, }, &orgUUID) // Dispatch events to the audit log regarding the contract @@ -330,7 +319,6 @@ func (uc *WorkflowUseCase) dispatchWorkflowUpdatedEvent(ctx context.Context, wf }, NewDescription: opts.Description, NewTeam: opts.Team, - NewPublic: opts.Public, } if opts.ContractID != nil && newWfContract != nil { diff --git a/app/controlplane/pkg/biz/workflow_integration_test.go b/app/controlplane/pkg/biz/workflow_integration_test.go index 842334589..4b90568fa 100644 --- a/app/controlplane/pkg/biz/workflow_integration_test.go +++ b/app/controlplane/pkg/biz/workflow_integration_test.go @@ -299,10 +299,6 @@ func (s *workflowIntegrationTestSuite) TestUpdate() { contract2, err := s.WorkflowContract.Create(ctx, &biz.WorkflowContractCreateOpts{Name: "contract-2", OrgID: org2.ID}) require.NoError(s.T(), err) - s.Run("by default the workflow is private", func() { - s.False(workflow.Public) - }) - s.Run("can't update if no changes are provided", func() { got, err := s.Workflow.Update(ctx, org2.ID, workflow.ID.String(), nil) s.True(biz.IsErrValidation(err)) @@ -346,17 +342,12 @@ func (s *workflowIntegrationTestSuite) TestUpdate() { { name: "update description", updates: &biz.WorkflowUpdateOpts{Description: toPtrS("new description")}, - want: &biz.Workflow{Description: "new description", Team: team, Project: project, Public: false}, - }, - { - name: "update visibility", - updates: &biz.WorkflowUpdateOpts{Public: toPtrBool(true)}, - want: &biz.Workflow{Description: description, Team: team, Project: project, Public: true}, + want: &biz.Workflow{Description: "new description", Team: team, Project: project}, }, { name: "update all options", - updates: &biz.WorkflowUpdateOpts{Team: toPtrS("new team"), Public: toPtrBool(true)}, - want: &biz.Workflow{Description: description, Team: "new team", Project: "test-project", Public: true}, + updates: &biz.WorkflowUpdateOpts{Team: toPtrS("new team")}, + want: &biz.Workflow{Description: description, Team: "new team", Project: "test-project"}, }, { name: "can update contract", @@ -503,17 +494,6 @@ func (s *workflowListIntegrationTestSuite) TestList() { s.Len(workflows, 1) }) - s.Run("list workflows with workflow public filter", func() { - _, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{OrgID: s.org.ID, Name: "name1", Project: project, Team: team, Description: description, Public: true}) - require.NoError(s.T(), err) - _, err = s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{OrgID: s.org.ID, Name: "name2", Project: project, Team: team, Description: description, Public: false}) - require.NoError(s.T(), err) - - workflows, _, err := s.Workflow.List(ctx, s.org.ID, &biz.WorkflowListOpts{WorkflowPublic: toPtrBool(true)}, nil) - s.NoError(err) - s.Len(workflows, 1) - }) - s.Run("list workflows with workflow run runner type filter", func() { _, err := s.Workflow.Create(ctx, &biz.WorkflowCreateOpts{OrgID: s.org.ID, Name: "name1", Project: project, Team: team, Description: description}) require.NoError(s.T(), err) diff --git a/app/controlplane/pkg/biz/workflowrun.go b/app/controlplane/pkg/biz/workflowrun.go index 7c9f96684..86fcde717 100644 --- a/app/controlplane/pkg/biz/workflowrun.go +++ b/app/controlplane/pkg/biz/workflowrun.go @@ -533,35 +533,6 @@ func (uc *WorkflowRunUseCase) List(ctx context.Context, orgID string, f *RunList return uc.wfRunRepo.List(ctx, orgUUID, f, p) } -// Returns the workflow run with the provided ID if it belongs to the org or its public -func (uc *WorkflowRunUseCase) GetByIDInOrgOrPublic(ctx context.Context, orgID, runID string) (*WorkflowRun, error) { - ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByIDInOrgOrPublic") - defer span.End() - - orgUUID, err := uuid.Parse(orgID) - if err != nil { - return nil, NewErrInvalidUUID(err) - } - - runUUID, err := uuid.Parse(runID) - if err != nil { - return nil, NewErrInvalidUUID(err) - } - - wfrun, err := uc.wfRunRepo.FindByID(ctx, runUUID) - if err != nil { - return nil, fmt.Errorf("finding workflow run: %w", err) - } - - // if available, add attestation from attestation bundles - if err = uc.addAttestationFromBundle(ctx, wfrun); err != nil { - return nil, fmt.Errorf("retrieving attestation from bundle: %w", err) - } - - // If the workflow is public or belongs to the org we can return it - return workflowRunInOrgOrPublic(wfrun, orgUUID) -} - // Returns the workflow run with the provided ID if it belongs to the org func (uc *WorkflowRunUseCase) GetByIDInOrg(ctx context.Context, orgID, runID string) (*WorkflowRun, error) { ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByIDInOrg") @@ -654,8 +625,11 @@ func trustedRootBizToVerifier(biztr *TrustedRoot) (*verifier.TrustedRoot, error) return tr, nil } -func (uc *WorkflowRunUseCase) GetByDigestInOrgOrPublic(ctx context.Context, orgID, digest string) (*WorkflowRun, error) { - ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByDigestInOrgOrPublic") +// GetByDigestInOrg returns the workflow run identified by the given attestation digest, but only +// when it belongs to the provided organization. A run in another organization is reported as not +// found (identical to a nonexistent digest) so it does not leak cross-tenant existence. +func (uc *WorkflowRunUseCase) GetByDigestInOrg(ctx context.Context, orgID, digest string) (*WorkflowRun, error) { + ctx, span := otelx.Start(ctx, workflowRunTracer, "WorkflowRunUseCase.GetByDigestInOrg") defer span.End() orgUUID, err := uuid.Parse(orgID) @@ -672,13 +646,16 @@ func (uc *WorkflowRunUseCase) GetByDigestInOrgOrPublic(ctx context.Context, orgI return nil, fmt.Errorf("finding workflow run: %w", err) } + if wfrun == nil || wfrun.Workflow.OrgID != orgUUID { + return nil, NewErrNotFound("workflow run") + } + // if available, add attestation from attestation bundles if err = uc.addAttestationFromBundle(ctx, wfrun); err != nil { return nil, fmt.Errorf("retrieving attestation from bundle: %w", err) } - // If the workflow is public or belongs to the org we can return it - return workflowRunInOrgOrPublic(wfrun, orgUUID) + return wfrun, nil } // addAttestationFromBundle resolves the attestation bundle using cache → DB → CAS fallback. @@ -772,15 +749,6 @@ func (uc *WorkflowRunUseCase) downloadBundleFromCAS(ctx context.Context, digest return buf.Bytes(), nil } -// filter the workflow runs that belong to the org or are public -func workflowRunInOrgOrPublic(wfRun *WorkflowRun, orgID uuid.UUID) (*WorkflowRun, error) { - if wfRun == nil || (wfRun.Workflow.OrgID != orgID && !wfRun.Workflow.Public) { - return nil, NewErrNotFound("workflow run") - } - - return wfRun, nil -} - // Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues func (WorkflowRunStatus) Values() (kinds []string) { for _, s := range []WorkflowRunStatus{ diff --git a/app/controlplane/pkg/biz/workflowrun_integration_test.go b/app/controlplane/pkg/biz/workflowrun_integration_test.go index e193acd73..4eb9199a3 100644 --- a/app/controlplane/pkg/biz/workflowrun_integration_test.go +++ b/app/controlplane/pkg/biz/workflowrun_integration_test.go @@ -247,7 +247,7 @@ func (s *workflowRunIntegrationTestSuite) TestSaveAttestation() { assert.NoError(err) // Retrieve attestation ref from storage and compare - r, err := s.WorkflowRun.GetByIDInOrgOrPublic(ctx, s.org.ID, run.ID.String()) + r, err := s.WorkflowRun.GetByIDInOrg(ctx, s.org.ID, run.ID.String()) assert.NoError(err) assert.Equal(bundleHash.String(), r.Attestation.Digest) env := attestation.DSSEEnvelopeFromBundle(bundle) @@ -281,7 +281,7 @@ func (s *workflowRunIntegrationTestSuite) TestSaveAttestation() { // digest is recorded on the workflow run err = s.WorkflowRun.MarkAsFinished(ctx, run.ID.String(), biz.WorkflowRunSuccess, "") assert.NoError(err) - stored, err := s.WorkflowRun.GetByIDInOrgOrPublic(ctx, s.org.ID, run.ID.String()) + stored, err := s.WorkflowRun.GetByIDInOrg(ctx, s.org.ID, run.ID.String()) assert.NoError(err) assert.Equal(bundleHash.String(), stored.Attestation.Digest) @@ -407,7 +407,7 @@ func (s *workflowRunIntegrationTestSuite) TestReleasedVersionImmutability() { }) } -func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrgOrPublic() { +func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrg() { assert := assert.New(s.T()) ctx := context.Background() testCases := []struct { @@ -434,15 +434,16 @@ func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrgOrPublic() { wantErr: true, }, { - name: "can access workflowRun from other org if public", - orgID: s.org.ID, - runID: s.runOrg2Public.ID.String(), + name: "can't access workflowRun from other org even if formerly public", + orgID: s.org.ID, + runID: s.runOrg2Public.ID.String(), + wantErr: true, }, } for _, tc := range testCases { s.T().Run(tc.name, func(t *testing.T) { - run, err := s.WorkflowRun.GetByIDInOrgOrPublic(ctx, tc.orgID, tc.runID) + run, err := s.WorkflowRun.GetByIDInOrg(ctx, tc.orgID, tc.runID) if tc.wantErr { assert.Error(err) assert.True(biz.IsNotFound(err)) @@ -454,7 +455,7 @@ func (s *workflowRunIntegrationTestSuite) TestGetByIDInOrgOrPublic() { } } -func (s *workflowRunIntegrationTestSuite) TestGetByDigestInOrgOrPublic() { +func (s *workflowRunIntegrationTestSuite) TestGetByDigestInOrg() { assert := assert.New(s.T()) ctx := context.Background() testCases := []struct { @@ -487,15 +488,16 @@ func (s *workflowRunIntegrationTestSuite) TestGetByDigestInOrgOrPublic() { errTypeChecker: biz.IsNotFound, }, { - name: "can access workflowRun from other org if public", - orgID: s.org.ID, - digest: s.digestAttPublic, + name: "can't access workflowRun from other org even if formerly public", + orgID: s.org.ID, + digest: s.digestAttPublic, + errTypeChecker: biz.IsNotFound, }, } for _, tc := range testCases { s.T().Run(tc.name, func(t *testing.T) { - run, err := s.WorkflowRun.GetByDigestInOrgOrPublic(ctx, tc.orgID, tc.digest) + run, err := s.WorkflowRun.GetByDigestInOrg(ctx, tc.orgID, tc.digest) if tc.errTypeChecker != nil { assert.Error(err) assert.True(tc.errTypeChecker(err)) @@ -1075,7 +1077,7 @@ func setupWorkflowRunTestData(t *testing.T, suite *testhelpers.TestingUseCases, s.workflowOrg2, err = suite.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-workflow", OrgID: s.org2.ID, Project: "test-project"}) assert.NoError(err) // Public workflow - s.workflowPublicOrg2, err = suite.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-public-workflow", OrgID: s.org2.ID, Public: true, Project: "test-project"}) + s.workflowPublicOrg2, err = suite.Workflow.Create(ctx, &biz.WorkflowCreateOpts{Name: "test-public-workflow", OrgID: s.org2.ID, Project: "test-project"}) assert.NoError(err) // Find contract revision diff --git a/app/controlplane/pkg/data/casmapping.go b/app/controlplane/pkg/data/casmapping.go index 08ad455bc..d75b0d1f6 100644 --- a/app/controlplane/pkg/data/casmapping.go +++ b/app/controlplane/pkg/data/casmapping.go @@ -25,7 +25,6 @@ import ( "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/casbackend" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/casmapping" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/predicate" - "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/workflow" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/data/ent/workflowrun" "github.com/chainloop-dev/chainloop/pkg/otelx" "github.com/go-kratos/kratos/v2/log" @@ -59,6 +58,17 @@ func (r *CASMappingRepo) Create(ctx context.Context, digest string, casBackendID return nil, fmt.Errorf("cas backend not found") } + // workflow_run_id has no DB-level foreign key, so validate the referenced run exists to avoid + // creating a mapping that points to a non-existent workflow run. + if opts != nil && opts.WorkflowRunID != nil { + exists, err := r.data.DB.WorkflowRun.Query().Where(workflowrun.ID(*opts.WorkflowRunID)).Exist(ctx) + if err != nil { + return nil, fmt.Errorf("failed to check workflow run: %w", err) + } else if !exists { + return nil, biz.NewErrNotFound("workflow run") + } + } + query := r.data.DB.CASMapping.Create(). SetDigest(digest). SetCasBackendID(casBackendID). @@ -112,42 +122,7 @@ func (r *CASMappingRepo) FindByDigestInOrgs(ctx context.Context, digest string, return nil, err } - // Access is granted through org membership, independent of the workflow's public visibility. - return entCASMappingToBiz(m, false) -} - -// FindPublicByDigest returns a single CAS mapping for the digest that was produced by a public -// workflow, preferring the default backend. It returns (nil, nil) when no public mapping exists. -// -// A public mapping can live in any organization, so visibility is matched on the mapping's workflow -// rather than on org membership. As there is no ent edge from a mapping to its workflow run, the -// match is expressed as a subquery on workflow_run_id. The selection is bounded with a LIMIT 1. -func (r *CASMappingRepo) FindPublicByDigest(ctx context.Context, digest string) (*biz.CASMapping, error) { - ctx, span := otelx.Start(ctx, casMappingRepoTracer, "CASMappingRepo.FindPublicByDigest") - defer span.End() - - publicWorkflowRun := func(s *sql.Selector) { - wr := sql.Table(workflowrun.Table) - wf := sql.Table(workflow.Table) - s.Where(sql.In( - s.C(casmapping.FieldWorkflowRunID), - sql.Select(wr.C(workflowrun.FieldID)). - From(wr). - Join(wf).On(wr.C(workflowrun.FieldWorkflowID), wf.C(workflow.FieldID)). - // The workflow must be public and not (soft) deleted. - Where(sql.And( - sql.EQ(wf.C(workflow.FieldPublic), true), - sql.IsNull(wf.C(workflow.FieldDeletedAt)), - )), - )) - } - - m, err := r.findOnePreferringDefault(ctx, casmapping.Digest(digest), publicWorkflowRun) - if err != nil || m == nil { - return nil, err - } - - return entCASMappingToBiz(m, true) + return entCASMappingToBiz(m) } // findOnePreferringDefault returns the first CAS mapping matching the given predicates, preferring @@ -188,42 +163,10 @@ func (r *CASMappingRepo) findByID(ctx context.Context, id uuid.UUID) (*biz.CASMa return nil, nil } - public, err := r.IsPublic(ctx, r.data.DB, backend.WorkflowRunID) - if err != nil { - if ent.IsNotFound(err) { - return nil, biz.NewErrNotFound("cas mapping") - } - - return nil, fmt.Errorf("failed to check if workflow is public: %w", err) - } - - return entCASMappingToBiz(backend, public) -} - -func (r *CASMappingRepo) IsPublic(ctx context.Context, client *ent.Client, runID uuid.UUID) (bool, error) { - ctx, span := otelx.Start(ctx, casMappingRepoTracer, "CASMappingRepo.IsPublic") - defer span.End() - - // If the workflow run id is not set, the mapping is not public - if runID == uuid.Nil { - return false, nil - } - - // Check if the workflow is public - wr, err := client.WorkflowRun.Query().Where(workflowrun.ID(runID)).Select(workflowrun.FieldWorkflowID).First(ctx) - if err != nil { - return false, fmt.Errorf("failed to get workflow run: %w", err) - } - - workflow, err := client.Workflow.Query().Where(workflow.ID(wr.WorkflowID)).Select(workflow.FieldPublic).First(ctx) - if err != nil { - return false, fmt.Errorf("failed to get workflow: %w", err) - } - - return workflow.Public, nil + return entCASMappingToBiz(backend) } -func entCASMappingToBiz(input *ent.CASMapping, public bool) (*biz.CASMapping, error) { +func entCASMappingToBiz(input *ent.CASMapping) (*biz.CASMapping, error) { if input == nil { return nil, nil } @@ -241,7 +184,6 @@ func entCASMappingToBiz(input *ent.CASMapping, public bool) (*biz.CASMapping, er WorkflowRunID: input.WorkflowRunID, OrgID: input.OrganizationID, CreatedAt: toTimePtr(input.CreatedAt), - Public: public, ProjectID: input.ProjectID, }, nil } diff --git a/app/controlplane/pkg/data/ent/schema/workflow.go b/app/controlplane/pkg/data/ent/schema/workflow.go index d8146622d..f21dbc61b 100644 --- a/app/controlplane/pkg/data/ent/schema/workflow.go +++ b/app/controlplane/pkg/data/ent/schema/workflow.go @@ -52,7 +52,10 @@ func (Workflow) Fields() []ent.Field { Default: "CURRENT_TIMESTAMP", }), field.Time("deleted_at").Optional(), - // public means that the workflow runs, attestations and materials are reachable + // Deprecated: the public workflow feature was removed and this column is no longer read or + // written by the application. It is intentionally kept (not dropped) so that pods still + // running the previous image—which SELECT this column—keep working during rollout. The + // column will be dropped in a follow-up migration once the rollout has settled. field.Bool("public").Default(false), field.UUID("organization_id", uuid.UUID{}), field.UUID("project_id", uuid.UUID{}), diff --git a/app/controlplane/pkg/data/referrer.go b/app/controlplane/pkg/data/referrer.go index 4de7ba371..a642d3ac0 100644 --- a/app/controlplane/pkg/data/referrer.go +++ b/app/controlplane/pkg/data/referrer.go @@ -138,10 +138,6 @@ func (r *ReferrerRepo) Exist(ctx context.Context, digest string, filters ...biz. query = query.Where(referrer.Kind(*opts.RootKind)) } - if opts.Public != nil { - query = query.WithWorkflows(func(q *ent.WorkflowQuery) { q.Where(workflow.PublicEQ(*opts.Public)) }) - } - return query.Exist(ctx) } @@ -171,11 +167,6 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] workflow.DeletedAtIsNil(), workflow.HasOrganizationWith(organization.IDIn(orgIDs...)), } - // optionally attaching its visibility - if opts.Public != nil { - predicateWF = append(predicateWF, workflow.Public(*opts.Public)) - } - // Attach the workflow predicate predicateReferrer = append(predicateReferrer, referrer.HasWorkflowsWith(predicateWF...)) @@ -190,7 +181,7 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] if opts.ProjectVersion != nil { version = *opts.ProjectVersion } - projectPred = r.projectScopePredicate(*opts.ProjectName, version, orgIDs, opts.ProjectIDs, opts.Public) + projectPred = r.projectScopePredicate(*opts.ProjectName, version, orgIDs, opts.ProjectIDs) predicateReferrer = append(predicateReferrer, referrer.Or( referrer.KindNEQ(biz.ReferrerAttestationType), projectPred, @@ -215,7 +206,7 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] } // Find the referrer recursively starting from the root - res, nextCursor, err := r.doGet(ctx, refs[0], orgIDs, opts.ProjectIDs, opts.Public, projectPred, p, 0) + res, nextCursor, err := r.doGet(ctx, refs[0], orgIDs, opts.ProjectIDs, projectPred, p, 0) if err != nil && !biz.IsErrUnauthorized(err) { return nil, "", fmt.Errorf("failed to get referrer: %w", err) } @@ -230,13 +221,11 @@ func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs [] // semi-join via the index on workflow_run.attestation_digest, which is what makes the filter // scale at thousands of runs per project. // -// Visibility mirrors isReferrerVisible: a run is included when its workflow is either public -// (regardless of RBAC) or its project is in the caller's RBAC-visible set. visibleProjectsMap -// follows the existing convention — an org entry present means RBAC applies for that org and -// only the listed project IDs are visible; an org absent means no RBAC restriction. When -// public != nil, the run's workflow visibility is additionally constrained to that value. -// The public-workflow short-circuit is tracked for removal in chainloop-dev/chainloop#3163. -func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool) predicate.Referrer { +// Visibility mirrors isReferrerVisible: a run is included when its workflow's project is in the +// caller's RBAC-visible set. visibleProjectsMap follows the existing convention — an org entry +// present means RBAC applies for that org and only the listed project IDs are visible; an org +// absent means no RBAC restriction. +func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID) predicate.Referrer { versionPredicates := []predicate.ProjectVersion{ projectversion.DeletedAtIsNil(), projectversion.HasProjectWith( @@ -252,27 +241,16 @@ func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs workflowrun.HasVersionWith(versionPredicates...), } - // Visibility OR — same semantics as isReferrerVisible: a public workflow is visible to any - // caller in its org, otherwise the project must be in the caller's RBAC-visible set. - visibility := []predicate.WorkflowRun{ - workflowrun.HasWorkflowWith( - workflow.DeletedAtIsNil(), - workflow.Public(true), - workflow.HasOrganizationWith(organization.IDIn(orgIDs...)), - ), - } - if rbacScope := projectVisibilityPredicate(orgIDs, visibleProjectsMap); rbacScope != nil { - visibility = append(visibility, workflowrun.HasWorkflowWith( - workflow.DeletedAtIsNil(), - workflow.HasProjectWith(rbacScope), - )) - } - runPredicates = append(runPredicates, workflowrun.Or(visibility...)) - - // If the caller explicitly scopes by public/private, layer that on top. - if public != nil { - runPredicates = append(runPredicates, workflowrun.HasWorkflowWith(workflow.Public(*public))) + // Visibility — same semantics as isReferrerVisible: the run's workflow project must be in the + // caller's RBAC-visible set. If no project is visible in any allowed org, nothing matches. + rbacScope := projectVisibilityPredicate(orgIDs, visibleProjectsMap) + if rbacScope == nil { + return func(s *sql.Selector) { s.Where(sql.False()) } } + runPredicates = append(runPredicates, workflowrun.HasWorkflowWith( + workflow.DeletedAtIsNil(), + workflow.HasProjectWith(rbacScope), + )) return func(s *sql.Selector) { t := sql.Table(workflowrun.Table) @@ -286,8 +264,8 @@ func (r *ReferrerRepo) projectScopePredicate(projectName, version string, orgIDs // projectVisibilityPredicate builds a project predicate that accepts a project iff it belongs to // one of the allowed orgs AND, when RBAC applies to that org, the project is in the caller's -// visible set. Returns nil when no org grants any project visibility, so callers can fall back -// to other visibility paths (e.g. public workflows). +// visible set. Returns nil when no org grants any project visibility, so callers can treat that +// as "nothing is visible". func projectVisibilityPredicate(orgIDs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID) predicate.Project { perOrg := make([]predicate.Project, 0, len(orgIDs)) for _, orgID := range orgIDs { @@ -315,7 +293,7 @@ func projectVisibilityPredicate(orgIDs []uuid.UUID, visibleProjectsMap map[uuid. // we also need to limit this because there might be cycles const maxTraverseLevels = 1 -func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool, projectPred predicate.Referrer, p *pagination.CursorOptions, level int) (*biz.StoredReferrer, string, error) { +func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, projectPred predicate.Referrer, p *pagination.CursorOptions, level int) (*biz.StoredReferrer, string, error) { // Assemble the referrer to return res := &biz.StoredReferrer{ ID: root.ID, @@ -357,11 +335,6 @@ func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrg workflow.DeletedAtIsNil(), workflow.HasOrganizationWith(organization.IDIn(allowedOrgs...)), } - // optionally attaching its visibility - if public != nil { - predicateWF = append(predicateWF, workflow.Public(*public)) - } - // Attach the workflow predicate predicateReferrer = append(predicateReferrer, referrer.HasWorkflowsWith(predicateWF...)) @@ -414,7 +387,7 @@ func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrg // Add the references to the result for _, reference := range refs { // Call recursively the function — pagination only applies to the first level - ref, _, err := r.doGet(ctx, reference, allowedOrgs, visibleProjectsMap, public, projectPred, nil, level+1) + ref, _, err := r.doGet(ctx, reference, allowedOrgs, visibleProjectsMap, projectPred, nil, level+1) if err != nil && !biz.IsErrUnauthorized(err) { return nil, "", fmt.Errorf("failed to get referrer: %w", err) } @@ -449,10 +422,6 @@ func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrg } func isReferrerVisible(ref *biz.StoredReferrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID) bool { - if ref.InPublicWorkflow { - return true - } - for _, oid := range ref.OrgIDs { if !slices.Contains(allowedOrgs, oid) { // skip check in organizations where the user doesn't have access @@ -477,19 +446,14 @@ func isReferrerVisible(ref *biz.StoredReferrer, allowedOrgs []uuid.UUID, visible } // hydrate the referrer with the following information: -// - isPublic: if it has a public workflow associated // - workflowIDs: the list of associated workflows // - orgIDs: the list of associated organizations func hydrateWorkflowsInfo(root *ent.Referrer, out *biz.StoredReferrer) { - isPublic := false workflowIDs := make([]uuid.UUID, 0, len(root.Edges.Workflows)) projectIDs := make(map[uuid.UUID]bool, 0) orgIDs := make([]uuid.UUID, 0) orgsMap := make(map[uuid.UUID]struct{}, 0) for _, wf := range root.Edges.Workflows { - if wf.Public { - isPublic = true - } workflowIDs = append(workflowIDs, wf.ID) if _, ok := orgsMap[wf.OrganizationID]; !ok { orgIDs = append(orgIDs, wf.OrganizationID) @@ -501,7 +465,6 @@ func hydrateWorkflowsInfo(root *ent.Referrer, out *biz.StoredReferrer) { } out.ProjectIDs = maps.Keys(projectIDs) - out.InPublicWorkflow = isPublic out.WorkflowIDs = workflowIDs out.OrgIDs = orgIDs } diff --git a/app/controlplane/pkg/data/workflow.go b/app/controlplane/pkg/data/workflow.go index 2593b98c1..31918e88d 100644 --- a/app/controlplane/pkg/data/workflow.go +++ b/app/controlplane/pkg/data/workflow.go @@ -204,7 +204,6 @@ func (r *WorkflowRepo) Create(ctx context.Context, opts *biz.WorkflowCreateOpts) SetName(opts.Name). SetProjectID(projectID). SetTeam(opts.Team). - SetPublic(opts.Public). SetName(opts.Name). SetContractID(contractUUID). SetOrganizationID(orgUUID). @@ -236,7 +235,6 @@ func (r *WorkflowRepo) Update(ctx context.Context, id uuid.UUID, opts *biz.Workf req := r.data.DB.Workflow.UpdateOneID(id). SetNillableTeam(opts.Team). - SetNillablePublic(opts.Public). SetNillableDescription(opts.Description). SetUpdatedAt(time.Now()) @@ -344,10 +342,6 @@ func applyWorkflowRunFilters(baseQuery *ent.WorkflowQuery, opts *biz.WorkflowLis // applyWorkflowFilters applies filters to the Workflow query based on the provided options func applyWorkflowFilters(wfQuery *ent.WorkflowQuery, opts *biz.WorkflowListOpts) (*ent.WorkflowQuery, error) { if opts != nil { - if opts.WorkflowPublic != nil { - wfQuery = wfQuery.Where(workflow.Public(*opts.WorkflowPublic)) - } - if opts.ProjectIDs != nil { wfQuery = wfQuery.Where(workflow.ProjectIDIn(opts.ProjectIDs...)) } @@ -503,7 +497,6 @@ func entWFToBizWF(ctx context.Context, w *ent.Workflow) (*biz.Workflow, error) { wf := &biz.Workflow{Name: w.Name, ID: w.ID, CreatedAt: toTimePtr(w.CreatedAt), Team: w.Team, RunsCounter: w.RunsCount, - Public: w.Public, Description: w.Description, OrgID: w.OrganizationID, ProjectID: w.ProjectID, diff --git a/app/controlplane/pkg/data/workflowrun.go b/app/controlplane/pkg/data/workflowrun.go index 612b14c92..6406a184f 100644 --- a/app/controlplane/pkg/data/workflowrun.go +++ b/app/controlplane/pkg/data/workflowrun.go @@ -238,7 +238,7 @@ func (r *WorkflowRunRepo) FindByIDInOrg(ctx context.Context, orgID, id uuid.UUID run, err := orgScopedQuery(r.data.DB, orgID). QueryWorkflows(). QueryWorkflowruns().Where(workflowrun.ID(id)). - WithWorkflowAndProject().WithContractVersion().WithCasBackends(). + WithWorkflowAndProject().WithVersion().WithContractVersion().WithCasBackends(). Only(ctx) if err != nil && !ent.IsNotFound(err) { return nil, err diff --git a/buf.yaml b/buf.yaml index 6ac0cff6d..babfd6d57 100644 --- a/buf.yaml +++ b/buf.yaml @@ -55,8 +55,16 @@ modules: ignore_only: # Deprecated `attestation` and `bundle` fields were removed in favor of `attestation_bundle`; # their tag numbers and names are `reserved` in the proto to prevent accidental reuse. + # The `public` workflow attribute and the public shared referrer index were removed; + # their tag numbers/names are `reserved` and the DiscoverPublicShared RPC + messages deleted. FIELD_NO_DELETE: - app/controlplane/api/controlplane/v1/workflow_run.proto + - app/controlplane/api/controlplane/v1/workflow.proto + - app/controlplane/api/controlplane/v1/referrer.proto + RPC_NO_DELETE: + - app/controlplane/api/controlplane/v1/referrer.proto + MESSAGE_NO_DELETE: + - app/controlplane/api/controlplane/v1/referrer.proto - path: app/controlplane/internal/conf lint: use: @@ -74,6 +82,13 @@ modules: except: - EXTENSION_NO_DELETE - FIELD_SAME_DEFAULT + ignore_only: + # The referrer_shared_index config field + ReferrerSharedIndex message were removed + # together with the public shared referrer index feature. + FIELD_NO_DELETE: + - app/controlplane/internal/conf/controlplane/config/v1/conf.proto + MESSAGE_NO_DELETE: + - app/controlplane/internal/conf/controlplane/config/v1/conf.proto - path: app/controlplane/pkg/conf lint: use: diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index ed5da16e7..751c0ad0b 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.409.0 +version: 1.409.1 # Do not update appVersion, this is handled automatically by the release process appVersion: v1.103.1 diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index c9e30d54d..976984545 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -570,9 +570,6 @@ Once done, you can access with [two predefined users](https://github.com/chainlo | `controlplane.enableProfiler` | Enable pprof profiling on port 6060 | `false` | | `controlplane.tls.existingSecret` | Existing secret name containing TLS certificate to be used by the controlplane grpc server. NOTE: When it's set it will disable secret creation. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | `""` | | `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | -| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | -| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | -| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | | `controlplane.federatedAuthentication` | Enable federated authentication during attestation process | | | `controlplane.federatedAuthentication.enabled` | Enable federated authentication | `false` | | `controlplane.federatedAuthentication.url` | URL of the federated authentication endpoint | `""` | diff --git a/deployment/chainloop/templates/controlplane/configmap.yaml b/deployment/chainloop/templates/controlplane/configmap.yaml index 7e7a991fa..3517d2593 100644 --- a/deployment/chainloop/templates/controlplane/configmap.yaml +++ b/deployment/chainloop/templates/controlplane/configmap.yaml @@ -52,8 +52,6 @@ data: {{- if .Values.controlplane.uiDashboardURL }} ui_dashboard_url: {{ .Values.controlplane.uiDashboardURL | quote }} {{- end }} - referrer_shared_index: - {{- toYaml .Values.controlplane.referrerSharedIndex | nindent 6 }} {{ if .Values.controlplane.onboarding }} onboarding: {{- toYaml .Values.controlplane.onboarding | nindent 6 }} diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index e0f3e152d..07f7ed4ab 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -166,13 +166,6 @@ controlplane: ## @param controlplane.pluginsDir Directory where to look for plugins pluginsDir: /plugins - ## @extra controlplane.referrerSharedIndex Configure the shared, public index API endpoint that can be used to discover metadata referrers - ## @param controlplane.referrerSharedIndex.enabled Enable index API endpoint - ## @param controlplane.referrerSharedIndex.allowedOrgs List of UUIDs of organizations that are allowed to publish to the shared index - referrerSharedIndex: - enabled: false - allowedOrgs: [] - ## @extra controlplane.federatedAuthentication Enable federated authentication during attestation process ## @param controlplane.federatedAuthentication.enabled Enable federated authentication ## @param controlplane.federatedAuthentication.url URL of the federated authentication endpoint