feat: add organization setting to restrict project-scoped contracts

app/controlplane/api/controlplane/v1/organization.proto

@@ -96,6 +96,9 @@ message OrganizationServiceUpdateRequest {
 
   // prevent workflows and projects from being created implicitly during attestation init
   optional bool prevent_implicit_workflow_creation = 5;
+
+  // restrict_contract_creation_to_org_admins restricts contract creation (org-level and project-level) to only organization admins (owner/admin roles)
+  optional bool restrict_contract_creation_to_org_admins = 6;
 }
 
 message OrganizationServiceUpdateResponse {

app/controlplane/api/controlplane/v1/response_messages.proto

@@ -281,6 +281,8 @@ message OrgItem {
   repeated string policy_allowed_hostnames = 5;
   // prevent workflows and projects from being created implicitly during attestation init
   bool prevent_implicit_workflow_creation = 7;
+  // restrict_contract_creation_to_org_admins restricts contract creation (org-level and project-level) to only organization admins (owner/admin roles)
+  bool restrict_contract_creation_to_org_admins = 8;
 
   enum PolicyViolationBlockingStrategy {
     POLICY_VIOLATION_BLOCKING_STRATEGY_UNSPECIFIED = 0;

app/controlplane/internal/service/attestation.go

@@ -59,6 +59,7 @@ type AttestationService struct {
 	projectVersionUseCase   *biz.ProjectVersionUseCase
 	projectUseCase          *biz.ProjectUseCase
 	signingUseCase          *biz.SigningUseCase
+	userUseCase             *biz.UserUseCase
 }
 
 type NewAttestationServiceOpts struct {
@@ -78,6 +79,7 @@ type NewAttestationServiceOpts struct {
 	ProjectUC          *biz.ProjectUseCase
 	ProjectVersionUC   *biz.ProjectVersionUseCase
 	SigningUseCase     *biz.SigningUseCase
+	UserUC             *biz.UserUseCase
 	Opts               []NewOpt
 }
 
@@ -100,6 +102,7 @@ func NewAttestationService(opts *NewAttestationServiceOpts) *AttestationService
 		projectUseCase:          opts.ProjectUC,
 		projectVersionUseCase:   opts.ProjectVersionUC,
 		signingUseCase:          opts.SigningUseCase,
+		userUseCase:             opts.UserUC,
 	}
 }
 
@@ -748,14 +751,21 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP
 		return &cpAPI.FindOrCreateWorkflowResponse{Result: bizWorkflowToPb(wf)}, nil
 	}
 
+	// Get organization
+	org, err := s.orgUseCase.FindByID(ctx, apiToken.OrgID)
+	if err != nil {
+		return nil, handleUseCaseErr(err, s.log)
+	}
+
 	// the workflow does not exist, let's create it alongside its project and contract
 	createOpts := &biz.WorkflowCreateOpts{
-		OrgID:            apiToken.OrgID,
-		Name:             req.GetWorkflowName(),
-		Project:          req.GetProjectName(),
-		ContractName:     req.GetContractName(),
-		ContractBytes:    req.GetContractBytes(),
-		ImplicitCreation: true, // Mark as implicit creation from attestation init
+		OrgID:                               apiToken.OrgID,
+		Name:                                req.GetWorkflowName(),
+		Project:                             req.GetProjectName(),
+		ContractName:                        req.GetContractName(),
+		ContractBytes:                       req.GetContractBytes(),
+		ImplicitCreation:                    true, // Mark as implicit creation from attestation init
+		OrgRestrictContractCreationToAdmins: org.RestrictContractCreationToOrgAdmins,
 	}
 
 	// set project owner if RBAC is enabled
@@ -766,6 +776,9 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP
 			return nil, handleUseCaseErr(err, s.log)
 		}
 		createOpts.Owner = &userID
+
+		// Check if user is an org admin
+		createOpts.UserIsOrgAdmin = isUserOrgAdmin(ctx)
 	}
 
 	wf, err := s.workflowUseCase.Create(ctx, createOpts)

app/controlplane/internal/service/context.go

@@ -118,10 +118,11 @@ func (s *ContextService) Current(ctx context.Context, _ *pb.ContextServiceCurren
 
 func bizOrgToPb(m *biz.Organization) *pb.OrgItem {
 	return &pb.OrgItem{Id: m.ID, Name: m.Name, CreatedAt: timestamppb.New(*m.CreatedAt),
-		UpdatedAt:                       timestamppb.New(*m.UpdatedAt),
-		DefaultPolicyViolationStrategy:  bizPolicyViolationBlockingStrategyToPb(m.BlockOnPolicyViolation),
-		PolicyAllowedHostnames:          m.PoliciesAllowedHostnames,
-		PreventImplicitWorkflowCreation: m.PreventImplicitWorkflowCreation,
+		UpdatedAt:                           timestamppb.New(*m.UpdatedAt),
+		DefaultPolicyViolationStrategy:      bizPolicyViolationBlockingStrategyToPb(m.BlockOnPolicyViolation),
+		PolicyAllowedHostnames:              m.PoliciesAllowedHostnames,
+		PreventImplicitWorkflowCreation:     m.PreventImplicitWorkflowCreation,
+		RestrictContractCreationToOrgAdmins: m.RestrictContractCreationToOrgAdmins,
 	}
 }
 

app/controlplane/internal/service/organization.go

@@ -89,7 +89,7 @@ func (s *OrganizationService) Update(ctx context.Context, req *pb.OrganizationSe
 		}
 	}
 
-	org, err := s.orgUC.Update(ctx, currentUser.ID, req.Name, req.BlockOnPolicyViolation, policiesAllowedHostnames, req.PreventImplicitWorkflowCreation)
+	org, err := s.orgUC.Update(ctx, currentUser.ID, req.Name, req.BlockOnPolicyViolation, policiesAllowedHostnames, req.PreventImplicitWorkflowCreation, req.RestrictContractCreationToOrgAdmins)
 	if err != nil {
 		return nil, handleUseCaseErr(err, s.log)
 	}

app/controlplane/internal/service/service.go

@@ -329,6 +329,12 @@ func (s *service) visibleProjects(ctx context.Context) []uuid.UUID {
 	return projects
 }
 
+// isUserOrgAdmin checks if the current user is an org admin or owner
+func isUserOrgAdmin(ctx context.Context) bool {
+	userRole := usercontext.CurrentAuthzSubject(ctx)
+	return authz.Role(userRole).IsAdmin()
+}
+
 // initializePaginationOpts initializes the pagination options with the provided request pagination options.
 func initializePaginationOpts(reqPagination *pb.OffsetPaginationRequest) (*pagination.OffsetPaginationOpts, error) {
 	// Initialize the pagination options, with default values