Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Main sync #5862

Merged
merged 51 commits into from
Sep 18, 2024
Merged

chore: Main sync #5862

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
779e913
migration number changes (#5692)
prakash100198 Aug 15, 2024
4f04d6b
refrain from checkin autoscalingCheckBeforeTrigger for virt clus (#5696)
prakash100198 Aug 20, 2024
2e58e77
fix: Decode secret fix on add update oss (#5695)
prakash100198 Aug 20, 2024
bf23515
saving pco concurrency case handled (#5688)
prakash100198 Aug 20, 2024
694831c
fix: script for pipelineStageStepVariable, making input value and def…
prakash100198 Aug 21, 2024
3e31f49
fix: ea fixes for helm app (#5708)
RajeevRanjan27 Aug 21, 2024
8de88d7
Revert "fix: ea fixes for helm app (#5708)" (#5713)
RajeevRanjan27 Aug 22, 2024
378c2d9
fix: SkipCiBuildCachePushPull code incorporated with minor refac in h…
prakash100198 Aug 22, 2024
827608f
migration syn with ent (#5718)
prkhrkat Aug 23, 2024
5f43eb2
doc: Edit Deployment Chart Schema (#5735)
ashokdevtron Aug 23, 2024
16d01d6
doc: Redirection of old entry in gitbook.yaml (#5738)
ashokdevtron Aug 23, 2024
d816dee
docs: added Documentation for Air-Gapped Installation (#5360)
badal773 Aug 23, 2024
26784d5
feat: Env description handling (#5744)
kripanshdevtron Aug 27, 2024
e677fbd
misc: Main sync rc - branch update (#5753)
kartik-579 Aug 28, 2024
8a61bac
doc: Update prerequisites of code-scan (#5625)
bhushan-nemade-dt Aug 28, 2024
6da544f
fix: ci patch rbac for branch update (#5759)
Ash-exp Aug 28, 2024
09946c2
feat: Added basic auth support for servicemonitor (#5761)
pawan-mehta-dt Aug 29, 2024
80f0758
fix: Bitnami chart repo tls issue (#5740)
akshatsinha007 Aug 29, 2024
7ee4a32
doc: Cosign plugin doc (#5665)
bhushan-nemade-dt Aug 29, 2024
99d10f5
fix: check rbac on env if envName is present (#5765)
prakash100198 Aug 29, 2024
f1a50b1
doc: CraneCopy plugin doc (#5658)
bhushan-nemade-dt Aug 30, 2024
3ef2b96
doc: Devtron CD Trigger Plugin doc (#5747)
bhushan-nemade-dt Aug 30, 2024
3888a41
doc: DockerSlim plugin doc (#5660)
bhushan-nemade-dt Aug 30, 2024
a625e7e
doc: Devtron Job Trigger Plugin doc (#5742)
bhushan-nemade-dt Aug 30, 2024
ff89a26
fix: scan tool active check removed (#5771)
kripanshdevtron Aug 30, 2024
5170040
feat: Docker pull env driven (#5767)
prakash100198 Aug 30, 2024
c66ccf5
fix: panic handlings and argocd app delete stuck in partial stage (#5…
Ash-exp Aug 30, 2024
4296366
feat: plugin creation support (#5630)
prakash100198 Sep 2, 2024
47843d9
Revert "feat: plugin creation support (#5630)" (#5778)
prakash100198 Sep 2, 2024
fd90dfb
fix: unimplemented cluster cron service (#5781)
Ash-exp Sep 2, 2024
1540271
fix: sql injection fixes (#5783)
kripanshdevtron Sep 2, 2024
ba02845
doc: Vulnerability Scanning Plugin doc (#5722)
bhushan-nemade-dt Sep 3, 2024
02f4a1b
docs: Jira plugins doc (Validator + Updater) (#5709)
ashokdevtron Sep 3, 2024
a6a2ae2
add basic auth and tls for sm (#5789)
pawan-mehta-dt Sep 3, 2024
654ba93
docs: added commands enable ingress during helm installation (#5794)
badal773 Sep 4, 2024
0e16daf
Revamped + Restructured Ingress Setup Doc (#5798)
ashokdevtron Sep 4, 2024
d4bd272
modifying route (#5799)
badal773 Sep 4, 2024
43ba232
fix: cron status update refactoring (#5790)
Ash-exp Sep 4, 2024
be9d553
docs: modified the anchorlink in ingress.md (#5800)
badal773 Sep 4, 2024
1e0af22
query param split (#5801)
Shivam-nagar23 Sep 4, 2024
8f92d3f
fix: upgraded to /argo-cd/v2 v2.9.21 (#5758)
prkhrkat Sep 5, 2024
bd51187
fix: Ea rbac fixes (#5813)
kripanshdevtron Sep 9, 2024
3020744
fix: scan list in global security page sql injection fix (#5808)
prakash100198 Sep 9, 2024
e332df2
fix: app details page(#5823)
iamayushm Sep 10, 2024
8e78d6e
misc: sync with common-lib changes with release candidate 18 (#5830)
systemsdt Sep 11, 2024
78f45ef
feat: Custom tag for copy container image plugin (#5760) (#5841)
prkhrkat Sep 13, 2024
395d659
chore: migration number fix (#5840)
prakash100198 Sep 13, 2024
68934d7
wip: adding variable id (#5844)
iamayushm Sep 13, 2024
0fc6d64
fix: ignore kubelink errors in server startup (#5852) (#5854)
gireesh-naidu Sep 17, 2024
18431d0
fix: fixed user rbac flows (#5804)
kartik-579 Sep 18, 2024
c6a04c2
Merge branch 'main' into main-sync-18sep-1
kartik-579 Sep 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
432 changes: 280 additions & 152 deletions api/auth/user/UserRestHandler.go
View file
Open in desktop

Large diffs are not rendered by default.

12 changes: 8 additions & 4 deletions api/bean/UserRequest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,14 @@ const (
type PolicyType int

const (
POLICY_DIRECT PolicyType = 1
POLICY_GROUP PolicyType = 1
SUPERADMIN = "role:super-admin___"
USER_TYPE_API_TOKEN = "apiToken"
POLICY_DIRECT PolicyType = 1
POLICY_GROUP PolicyType = 1
SUPERADMIN = "role:super-admin___"
APP_ACCESS_TYPE_HELM = "helm-app"
USER_TYPE_API_TOKEN = "apiToken"
CHART_GROUP_ENTITY = "chart-group"
CLUSTER_ENTITIY = "cluster"
ACTION_SUPERADMIN = "super-admin"
)

type UserListingResponse struct {
Expand Down
4 changes: 2 additions & 2 deletions api/restHandler/app/pipeline/configure/DeploymentPipelineRestHandler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2023,13 +2023,13 @@ func (handler *PipelineConfigRestHandlerImpl) GetCdPipelineById(w http.ResponseW
return
}

ciConf, err := handler.pipelineBuilder.GetCdPipelineById(pipelineId)
cdPipeline, err := handler.pipelineBuilder.GetCdPipelineById(pipelineId)
if err != nil {
handler.Logger.Errorw("service err, GetCdPipelineById", "err", err, "appId", appId, "pipelineId", pipelineId)
common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
return
}
cdResp, err := pipeline.CreatePreAndPostStageResponse(ciConf, version)
cdResp, err := pipeline.CreatePreAndPostStageResponse(cdPipeline, version)
if err != nil {
handler.Logger.Errorw("service err, CheckForVersionAndCreatePreAndPostStagePayload", "err", err, "appId", appId, "pipelineId", pipelineId)
common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
Expand Down
2 changes: 1 addition & 1 deletion pkg/apiToken/ApiTokenService.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ func (impl ApiTokenServiceImpl) CreateApiToken(request *openapi.CreateApiTokenRe
EmailId: email,
UserType: bean.USER_TYPE_API_TOKEN,
}
createUserResponse, _, err := impl.userService.CreateUser(&createUserRequest, token, managerAuth)
createUserResponse, err := impl.userService.CreateUser(&createUserRequest)
if err != nil {
impl.logger.Errorw("error while creating user for api-token", "email", email, "error", err)
return nil, err
Expand Down
59 changes: 33 additions & 26 deletions pkg/auth/user/RoleGroupService.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"errors"
"fmt"
"github.com/devtron-labs/devtron/pkg/auth/user/repository/helper"
"net/http"
"strings"
"time"

Expand All @@ -37,7 +38,8 @@ import (

type RoleGroupService interface {
CreateRoleGroup(request *bean.RoleGroup) (*bean.RoleGroup, error)
UpdateRoleGroup(request *bean.RoleGroup, token string, managerAuth func(resource, token string, object string) bool) (*bean.RoleGroup, error)
UpdateRoleGroup(request *bean.RoleGroup, token string, checkRBACForGroupUpdate func(token string, groupInfo *bean.RoleGroup,
eliminatedRoleFilters []*repository.RoleModel) (isAuthorised bool, err error)) (*bean.RoleGroup, error)
FetchDetailedRoleGroups(req *bean.ListingRequest) ([]*bean.RoleGroup, error)
FetchRoleGroupsById(id int32) (*bean.RoleGroup, error)
FetchRoleGroups() ([]*bean.RoleGroup, error)
Expand Down Expand Up @@ -136,21 +138,21 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
for index, roleFilter := range request.RoleFilters {
entity := roleFilter.Entity
if entity == bean2.CLUSTER_ENTITIY {
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, model, nil, "", nil, tx, mapping[index])
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, model, nil, tx, mapping[index])
policies = append(policies, policiesToBeAdded...)
if err != nil {
// making it non-blocking as it is being done for multiple Role filters and does not want this to be blocking.
impl.logger.Errorw("error in creating updating role group for cluster entity", "err", err, "roleFilter", roleFilter)
}
} else if entity == bean2.EntityJobs {
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, model, nil, "", nil, tx, mapping[index])
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, model, nil, tx, mapping[index])
policies = append(policies, policiesToBeAdded...)
if err != nil {
// making it non-blocking as it is being done for multiple Role filters and does not want this to be blocking.
impl.logger.Errorw("error in creating updating role group for jobs entity", "err", err, "roleFilter", roleFilter)
}
} else {
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, model, nil, "", nil, tx, mapping[index])
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, model, nil, tx, mapping[index])
policies = append(policies, policiesToBeAdded...)
if err != nil {
// making it non-blocking as it is being done for multiple Role filters and does not want this to be blocking.
Expand Down Expand Up @@ -199,7 +201,7 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
return request, nil
}

func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, token string, managerAuth func(resource string, token string, object string) bool, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
//var policiesToBeAdded []casbin2.Policy
namespaces := strings.Split(roleFilter.Namespace, ",")
groups := strings.Split(roleFilter.Group, ",")
Expand All @@ -213,12 +215,6 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFil
for _, group := range groups {
for _, kind := range kinds {
for _, resource := range resources {
if managerAuth != nil {
isValidAuth := impl.userCommonService.CheckRbacForClusterEntity(roleFilter.Cluster, namespace, group, kind, resource, token, managerAuth)
if !isValidAuth {
continue
}
}
roleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, "", "", "", "", accessType, roleFilter.Cluster, namespace, group, kind, resource, actionType, false, "")
if err != nil {
impl.logger.Errorw("error in getting new role model by filter")
Expand Down Expand Up @@ -263,7 +259,7 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFil
return policiesToBeAdded, nil
}

func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForOtherEntity(roleFilter bean.RoleFilter, request *bean.RoleGroup, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, token string, managerAuth func(resource string, token string, object string) bool, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForOtherEntity(roleFilter bean.RoleFilter, request *bean.RoleGroup, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
actionType := roleFilter.Action
accessType := roleFilter.AccessType
entity := roleFilter.Entity
Expand Down Expand Up @@ -319,7 +315,7 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForOtherEntity(roleFilte
return policiesToBeAdded, nil
}

func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForJobsEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, token string, managerAuth func(resource string, token string, object string) bool, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForJobsEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
actionType := roleFilter.Action
accessType := roleFilter.AccessType
entity := roleFilter.Entity
Expand Down Expand Up @@ -372,7 +368,8 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForJobsEntity(roleFilter
return policiesToBeAdded, nil
}

func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token string, managerAuth func(resource, token string, object string) bool) (*bean.RoleGroup, error) {
func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token string, checkRBACForGroupUpdate func(token string, groupInfo *bean.RoleGroup,
eliminatedRoleFilters []*repository.RoleModel) (isAuthorised bool, err error)) (*bean.RoleGroup, error) {
dbConnection := impl.roleGroupRepository.GetConnection()
tx, err := dbConnection.Begin()
if err != nil {
Expand Down Expand Up @@ -404,6 +401,8 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
var eliminatedPolicies []casbin2.Policy
capacity, mapping := impl.userCommonService.GetCapacityForRoleFilter(request.RoleFilters)
var policies = make([]casbin2.Policy, 0, capacity)
var eliminatedRoleModels []*repository.RoleModel
var items []casbin2.Policy
if request.SuperAdmin == false {
roleGroupMappingModels, err := impl.roleGroupRepository.GetRoleGroupRoleMappingByRoleGroupId(roleGroup.Id)
if err != nil {
Expand All @@ -417,7 +416,7 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token

// DELETE PROCESS STARTS

items, err := impl.userCommonService.RemoveRolesAndReturnEliminatedPoliciesForGroups(request, existingRoles, eliminatedRoles, tx, token, managerAuth)
items, eliminatedRoleModels, err = impl.userCommonService.RemoveRolesAndReturnEliminatedPoliciesForGroups(request, existingRoles, eliminatedRoles, tx)
if err != nil {
return nil, err
}
Expand All @@ -427,32 +426,24 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
//Adding New Policies
for index, roleFilter := range request.RoleFilters {
if roleFilter.Entity == bean2.CLUSTER_ENTITIY {
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, roleGroup, existingRoles, token, managerAuth, tx, mapping[index])
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, roleGroup, existingRoles, tx, mapping[index])
policies = append(policies, policiesToBeAdded...)
if err != nil {
impl.logger.Errorw("error in creating updating role group for cluster entity", "err", err, "roleFilter", roleFilter)
}
} else {
if len(roleFilter.Team) > 0 {
// check auth only for apps permission, skip for chart group
rbacObject := fmt.Sprintf("%s", roleFilter.Team)
isValidAuth := managerAuth(casbin2.ResourceUser, token, rbacObject)
if !isValidAuth {
continue
}
}
switch roleFilter.Entity {
case bean2.EntityJobs:
{
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, roleGroup, existingRoles, token, managerAuth, tx, mapping[index])
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, roleGroup, existingRoles, tx, mapping[index])
policies = append(policies, policiesToBeAdded...)
if err != nil {
impl.logger.Errorw("error in creating updating role group for jobs entity", "err", err, "roleFilter", roleFilter)
}
}
default:
{
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, roleGroup, existingRoles, token, managerAuth, tx, mapping[index])
policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, roleGroup, existingRoles, tx, mapping[index])
policies = append(policies, policiesToBeAdded...)
if err != nil {
impl.logger.Errorw("error in creating updating role group for other entity", "err", err, "roleFilter", roleFilter)
Expand Down Expand Up @@ -483,6 +474,22 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
policies = append(policies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(roleGroup.CasbinName), Obj: casbin2.Object(roleModel.Role)})
}
}

if checkRBACForGroupUpdate != nil {
isAuthorised, err := checkRBACForGroupUpdate(token, request, eliminatedRoleModels)
if err != nil {
impl.logger.Errorw("error in checking RBAC for role group update", "err", err, "request", request)
return nil, err
} else if !isAuthorised {
impl.logger.Errorw("rbac check failed for role group update", "request", request)
return nil, &util.ApiError{
Code: "403",
HttpStatusCode: http.StatusForbidden,
UserMessage: "unauthorized",
}
}
}

//deleting policies from casbin
impl.logger.Debugw("eliminated policies", "eliminatedPolicies", eliminatedPolicies)
if len(eliminatedPolicies) > 0 {
Expand Down
Loading