Merge branch 'main' into develop-oss

Author: gireesh-naidu

Dockerfile

@@ -6,6 +6,7 @@ RUN apt install git gcc musl-dev make -y
 RUN go install github.com/google/wire/cmd/wire@latest
 WORKDIR /go/src/github.com/devtron-labs/devtron
 ADD . /go/src/github.com/devtron-labs/devtron/
+ADD ./vendor/github.com/Microsoft/ /go/src/github.com/devtron-labs/devtron/vendor/github.com/microsoft/
 RUN GOOS=linux make build-all
 
 # uncomment this post build arg

DockerfileEA

@@ -6,6 +6,7 @@ RUN apt install git gcc musl-dev make -y
 RUN go install github.com/google/wire/cmd/wire@latest
 WORKDIR /go/src/github.com/devtron-labs/devtron
 ADD . /go/src/github.com/devtron-labs/devtron/
+ADD ./vendor/github.com/Microsoft/ /go/src/github.com/devtron-labs/devtron/vendor/github.com/microsoft/
 RUN GOOS=linux make build-all
 
 FROM ubuntu:22.04@sha256:1b8d8ff4777f36f19bfe73ee4df61e3a0b789caeff29caa019539ec7c9a57f95 as  devtron-ea

api/appStore/deployment/CommonDeploymentRestHandler.go

@@ -92,8 +92,7 @@ func (handler *CommonDeploymentRestHandlerImpl) getAppOfferingMode(installedAppI
 			err = &util.ApiError{HttpStatusCode: http.StatusBadRequest, UserMessage: "invalid app id"}
 			return appOfferingMode, installedAppDto, err
 		}
-		uniqueAppName := appIdentifier.GetUniqueAppNameIdentifier()
-		installedAppDto, err = handler.installedAppService.GetInstalledAppByClusterNamespaceAndName(appIdentifier.ClusterId, appIdentifier.Namespace, uniqueAppName)
+		installedAppDto, err = handler.installedAppService.GetInstalledAppByClusterNamespaceAndName(appIdentifier)
 		if err != nil {
 			err = &util.ApiError{HttpStatusCode: http.StatusBadRequest, UserMessage: "unable to find app in database"}
 			return appOfferingMode, installedAppDto, err

api/auth/user/UserRestHandler.go

@@ -142,7 +142,7 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req
 	//RBAC enforcer Ends
 	//In create req, we also check if any email exists already. If yes, then in that case we go on and merge existing roles and groups with the ones in request
 	//but rbac is only checked on create request roles and groups as existing roles and groups are assumed to be checked when created/updated before
-	res, err := handler.userService.CreateUser(&userInfo)
+	res, err := handler.userService.CreateUser(&userInfo, token, handler.CheckManagerAuth)
 	if err != nil {
 		handler.logger.Errorw("service err, CreateUser", "err", err, "payload", userInfo)
 		if _, ok := err.(*util.ApiError); ok {
@@ -192,7 +192,7 @@ func (handler UserRestHandlerImpl) UpdateUser(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	res, err := handler.userService.UpdateUser(&userInfo, token, handler.checkRBACForUserUpdate)
+	res, err := handler.userService.UpdateUser(&userInfo, token, handler.checkRBACForUserUpdate, handler.CheckManagerAuth)
 	if err != nil {
 		handler.logger.Errorw("service err, UpdateUser", "err", err, "payload", userInfo)
 		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
@@ -243,18 +243,9 @@ func (handler UserRestHandlerImpl) GetById(w http.ResponseWriter, r *http.Reques
 	// RBAC enforcer applying
 	filteredRoleFilter := make([]bean.RoleFilter, 0)
 	if res.RoleFilters != nil && len(res.RoleFilters) > 0 {
+		isUserSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
 		for _, filter := range res.RoleFilters {
-			authPass := true
-			if len(filter.Team) > 0 {
-				if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionGet, filter.Team); !ok {
-					authPass = false
-				}
-			}
-			if filter.Entity == bean2.CLUSTER_ENTITIY {
-				if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !ok {
-					authPass = false
-				}
-			}
+			authPass := handler.checkRbacForFilter(token, filter, isUserSuperAdmin)
 			if authPass {
 				filteredRoleFilter = append(filteredRoleFilter, filter)
 			}
@@ -578,18 +569,9 @@ func (handler UserRestHandlerImpl) FetchRoleGroupById(w http.ResponseWriter, r *
 	token := r.Header.Get("token")
 	filteredRoleFilter := make([]bean.RoleFilter, 0)
 	if res.RoleFilters != nil && len(res.RoleFilters) > 0 {
+		isUserSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
 		for _, filter := range res.RoleFilters {
-			authPass := true
-			if len(filter.Team) > 0 {
-				if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionGet, filter.Team); !ok {
-					authPass = false
-				}
-			}
-			if filter.Entity == bean2.CLUSTER_ENTITIY {
-				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
-					authPass = false
-				}
-			}
+			authPass := handler.checkRbacForFilter(token, filter, isUserSuperAdmin)
 			if authPass {
 				filteredRoleFilter = append(filteredRoleFilter, filter)
 			}
@@ -610,6 +592,35 @@ func (handler UserRestHandlerImpl) FetchRoleGroupById(w http.ResponseWriter, r *
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
 
+func (handler UserRestHandlerImpl) checkRbacForFilter(token string, filter bean.RoleFilter, isUserSuperAdmin bool) bool {
+	isAuthorised := true
+	switch {
+	case isUserSuperAdmin:
+		isAuthorised = true
+	case filter.AccessType == bean2.APP_ACCESS_TYPE_HELM || filter.Entity == bean2.EntityJobs:
+		if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !ok {
+			isAuthorised = false
+		}
+
+	case len(filter.Team) > 0:
+		// this is case of devtron app
+		if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionGet, filter.Team); !ok {
+			isAuthorised = false
+		}
+
+	case filter.Entity == bean.CLUSTER_ENTITIY:
+		isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth)
+		if !isValidAuth {
+			isAuthorised = false
+		}
+	case filter.Entity == bean.CHART_GROUP_ENTITY:
+		isAuthorised = true
+	default:
+		isAuthorised = false
+	}
+	return isAuthorised
+}
+
 func (handler UserRestHandlerImpl) CreateRoleGroup(w http.ResponseWriter, r *http.Request) {
 	decoder := json.NewDecoder(r.Body)
 	userId, err := handler.userService.GetLoggedInUser(r)
@@ -698,7 +709,7 @@ func (handler UserRestHandlerImpl) UpdateRoleGroup(w http.ResponseWriter, r *htt
 		return
 	}
 
-	res, err := handler.roleGroupService.UpdateRoleGroup(&request, token, handler.checkRBACForRoleGroupUpdate)
+	res, err := handler.roleGroupService.UpdateRoleGroup(&request, token, handler.checkRBACForRoleGroupUpdate, handler.CheckManagerAuth)
 	if err != nil {
 		handler.logger.Errorw("service err, UpdateRoleGroup", "err", err, "payload", request)
 		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
@@ -908,7 +919,7 @@ func (handler UserRestHandlerImpl) DeleteRoleGroup(w http.ResponseWriter, r *htt
 		return
 	}
 	token := r.Header.Get("token")
-	isAuthorised, err := handler.checkRBACForRoleGroupDelete(token, userGroup.RoleFilters)
+	isAuthorised, err := handler.checkRBACForRoleGroupDelete(token, userGroup)
 	if err != nil {
 		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
 		return
@@ -1138,7 +1149,7 @@ func (handler UserRestHandlerImpl) checkRBACForUserCreate(token string, requestS
 					isAuthorised = false
 				}
 				if !isAuthorised {
-					break
+					return false, nil
 				}
 			}
 		}
@@ -1167,7 +1178,7 @@ func (handler UserRestHandlerImpl) checkRBACForUserCreate(token string, requestS
 						isAuthorised = false
 					}
 					if !isAuthorised {
-						break
+						return false, nil
 					}
 				}
 			} else {
@@ -1206,7 +1217,7 @@ func (handler UserRestHandlerImpl) checkRBACForUserUpdate(token string, userInfo
 					isAuthorised = false
 				}
 				if !isAuthorised {
-					break
+					return false, nil
 				}
 			}
 		}
@@ -1225,7 +1236,7 @@ func (handler UserRestHandlerImpl) checkRBACForUserUpdate(token string, userInfo
 					isAuthorised = false
 				}
 				if !isAuthorised {
-					break
+					return false, nil
 				}
 			}
 		}
@@ -1252,7 +1263,7 @@ func (handler UserRestHandlerImpl) checkRBACForUserUpdate(token string, userInfo
 						isAuthorised = false
 					}
 					if !isAuthorised {
-						break
+						return false, nil
 					}
 				}
 			} else {
@@ -1263,11 +1274,10 @@ func (handler UserRestHandlerImpl) checkRBACForUserUpdate(token string, userInfo
 	return isAuthorised, nil
 }
 
-func (handler UserRestHandlerImpl) checkRBACForRoleGroupUpdate(token string, groupInfo *bean.RoleGroup,
-	eliminatedRoleFilters []*repository.RoleModel) (isAuthorised bool, err error) {
+func (handler UserRestHandlerImpl) checkRBACForRoleGroupUpdate(token string, groupInfo *bean.RoleGroup, eliminatedRoleFilters []*repository.RoleModel, isRoleGroupAlreadySuperAdmin bool) (isAuthorised bool, err error) {
 	isActionUserSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
 	requestSuperAdmin := groupInfo.SuperAdmin
-	if requestSuperAdmin && !isActionUserSuperAdmin {
+	if (requestSuperAdmin || isRoleGroupAlreadySuperAdmin) && !isActionUserSuperAdmin {
 		//if user is going to be provided with super-admin access or already a super-admin then the action user should be a super-admin
 		return false, nil
 	}
@@ -1290,7 +1300,7 @@ func (handler UserRestHandlerImpl) checkRBACForRoleGroupUpdate(token string, gro
 					isAuthorised = false
 				}
 				if !isAuthorised {
-					break
+					return false, nil
 				}
 			}
 		}
@@ -1309,20 +1319,23 @@ func (handler UserRestHandlerImpl) checkRBACForRoleGroupUpdate(token string, gro
 					isAuthorised = false
 				}
 				if !isAuthorised {
-					break
+					return false, nil
 				}
 			}
 		}
 	}
 	return isAuthorised, nil
 }
 
-func (handler UserRestHandlerImpl) checkRBACForRoleGroupDelete(token string, groupRoles []bean.RoleFilter) (isAuthorised bool, err error) {
+func (handler UserRestHandlerImpl) checkRBACForRoleGroupDelete(token string, userGroup *bean.RoleGroup) (isAuthorised bool, err error) {
 	isActionUserSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
+	if userGroup.SuperAdmin && !isActionUserSuperAdmin {
+		return false, nil
+	}
 	isAuthorised = isActionUserSuperAdmin
 	if !isAuthorised {
-		if groupRoles != nil && len(groupRoles) > 0 { //auth check inside roleFilters
-			for _, filter := range groupRoles {
+		if userGroup.RoleFilters != nil && len(userGroup.RoleFilters) > 0 { //auth check inside roleFilters
+			for _, filter := range userGroup.RoleFilters {
 				switch {
 				case filter.Action == bean.ACTION_SUPERADMIN:
 					isAuthorised = isActionUserSuperAdmin
@@ -1338,7 +1351,7 @@ func (handler UserRestHandlerImpl) checkRBACForRoleGroupDelete(token string, gro
 					isAuthorised = false
 				}
 				if !isAuthorised {
-					break
+					return false, nil
 				}
 			}
 		}

api/helm-app/HelmAppRestHandler.go

@@ -159,7 +159,7 @@ func (handler *HelmAppRestHandlerImpl) GetApplicationDetail(w http.ResponseWrite
 		return
 	}
 
-	installedApp, err := handler.installedAppService.GetInstalledAppByClusterNamespaceAndName(appIdentifier.ClusterId, appIdentifier.Namespace, appIdentifier.ReleaseName)
+	installedApp, err := handler.installedAppService.GetInstalledAppByClusterNamespaceAndName(appIdentifier)
 	if err != nil {
 		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		return

api/restHandler/app/pipeline/configure/BuildPipelineRestHandler.go

@@ -714,17 +714,33 @@ func (handler *PipelineConfigRestHandlerImpl) TriggerCiPipeline(w http.ResponseW
 		return
 	}
 	cdPipelineRbacObjects := make([]string, len(cdPipelines))
+	rbacObjectCdTriggerTypeMap := make(map[string]pipelineConfig.TriggerType, len(cdPipelines))
 	for i, cdPipeline := range cdPipelines {
 		envObject := handler.enforcerUtil.GetAppRBACByAppIdAndPipelineId(cdPipeline.AppId, cdPipeline.Id)
 		cdPipelineRbacObjects[i] = envObject
+		rbacObjectCdTriggerTypeMap[envObject] = cdPipeline.TriggerType
 	}
-	envRbacResultMap := handler.enforcer.EnforceInBatch(token, casbin.ResourceEnvironment, casbin.ActionTrigger, cdPipelineRbacObjects)
-	for _, rbacResultOk := range envRbacResultMap {
-		if !rbacResultOk {
+
+	hasAnyEnvTriggerAccess := len(cdPipelines) == 0 //if no pipelines then appAccess is enough. For jobs also, this will be true
+	if !hasAnyEnvTriggerAccess {
+		//cdPipelines present, to check access for cd trigger
+		envRbacResultMap := handler.enforcer.EnforceInBatch(token, casbin.ResourceEnvironment, casbin.ActionTrigger, cdPipelineRbacObjects)
+		for rbacObject, rbacResultOk := range envRbacResultMap {
+			if rbacObjectCdTriggerTypeMap[rbacObject] == pipelineConfig.TRIGGER_TYPE_AUTOMATIC && !rbacResultOk {
+				common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
+				return
+			}
+			if rbacResultOk { //this flow will come if pipeline is automatic and has access or if pipeline is manual,
+				// by which we can ensure if there are no automatic pipelines then atleast access on one manual is present
+				hasAnyEnvTriggerAccess = true
+			}
+		}
+		if !hasAnyEnvTriggerAccess {
 			common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
 			return
 		}
 	}
+
 	//RBAC ENDS
 	response := make(map[string]string)
 	resp, err := handler.ciHandler.HandleCIManual(ciTriggerRequest)

cmd/external-app/wire_gen.go

@@ -66,11 +66,6 @@ type DockerArtifactStore struct {
 	sql.AuditLog
 }
 
-type DockerArtifactStoreExt struct {
-	*DockerArtifactStore
-	DeploymentCount int `sql:"deployment_count" json:"deploymentCount"`
-}
-
 type ChartDeploymentCount struct {
 	OCIChartName    string `sql:"oci_chart_name" json:"ociChartName"`
 	DeploymentCount int    `sql:"deployment_count" json:"deploymentCount"`
@@ -94,7 +89,7 @@ type DockerArtifactStoreRepository interface {
 	FindAllDockerArtifactCount() (int, error)
 	FindAllChartProviders() ([]DockerArtifactStore, error)
 	FindOne(storeId string) (*DockerArtifactStore, error)
-	FindOneWithDeploymentCount(storeId string) (*DockerArtifactStoreExt, error)
+	FindDeploymentCount(storeId string) (int, error)
 	FindOneWithChartDeploymentCount(storeId, chartName string) (*ChartDeploymentCount, error)
 	FindOneInactive(storeId string) (*DockerArtifactStore, error)
 	Update(artifactStore *DockerArtifactStore, tx *pg.Tx) error
@@ -205,14 +200,14 @@ func (impl DockerArtifactStoreRepositoryImpl) FindOne(storeId string) (*DockerAr
 	return &provider, err
 }
 
-func (impl DockerArtifactStoreRepositoryImpl) FindOneWithDeploymentCount(storeId string) (*DockerArtifactStoreExt, error) {
-	var provider DockerArtifactStoreExt
-	query := "SELECT docker_artifact_store.*, count(jq.ia_id) as deployment_count FROM docker_artifact_store" +
+func (impl DockerArtifactStoreRepositoryImpl) FindDeploymentCount(storeId string) (int, error) {
+	var DeploymentCount int
+	query := "SELECT count(jq.ia_id) as deployment_count FROM docker_artifact_store" +
 		fmt.Sprintf(" LEFT JOIN oci_registry_config orc on (docker_artifact_store.id = orc.docker_artifact_store_id and orc.is_chart_pull_active = true and orc.deleted = false and orc.repository_type = '%s' and (orc.repository_action = '%s' or orc.repository_action = '%s'))", OCI_REGISRTY_REPO_TYPE_CHART, STORAGE_ACTION_TYPE_PULL, STORAGE_ACTION_TYPE_PULL_AND_PUSH) +
 		" LEFT JOIN (SELECT aps.docker_artifact_store_id as das_id ,ia.id as ia_id FROM installed_app_versions iav INNER JOIN installed_apps ia on iav.installed_app_id = ia.id INNER JOIN app_store_application_version asav on iav.app_store_application_version_id = asav.id INNER JOIN app_store aps on asav.app_store_id = aps.id WHERE ia.active=true and iav.active=true) jq on jq.das_id = docker_artifact_store.id" +
 		" WHERE docker_artifact_store.id = ? and docker_artifact_store.active = true Group by docker_artifact_store.id;"
-	_, err := impl.dbConnection.Query(&provider, query, storeId)
-	return &provider, err
+	_, err := impl.dbConnection.Query(&DeploymentCount, query, storeId)
+	return DeploymentCount, err
 }
 
 func (impl DockerArtifactStoreRepositoryImpl) FindOneWithChartDeploymentCount(storeId, chartName string) (*ChartDeploymentCount, error) {

internal/sql/repository/dockerRegistry/DockerArtifactStoreRepository.go

@@ -0,0 +1,54 @@
+package cdWorkflow
+
+import (
+	"errors"
+	"github.com/devtron-labs/common-lib/utils/k8s/health"
+	"github.com/devtron-labs/devtron/client/argocdServer/bean"
+)
+
+var WfrTerminalStatusList = []string{WorkflowAborted, WorkflowFailed, WorkflowSucceeded, bean.HIBERNATING, string(health.HealthStatusHealthy), string(health.HealthStatusDegraded)}
+
+type WorkflowStatus int
+
+const (
+	WF_UNKNOWN WorkflowStatus = iota
+	REQUEST_ACCEPTED
+	ENQUEUED
+	QUE_ERROR
+	WF_STARTED
+	DROPPED_STALE
+	DEQUE_ERROR
+	TRIGGER_ERROR
+)
+
+const (
+	WorkflowStarting           = "Starting"
+	WorkflowInQueue            = "Queued"
+	WorkflowInitiated          = "Initiating"
+	WorkflowInProgress         = "Progressing"
+	WorkflowAborted            = "Aborted"
+	WorkflowFailed             = "Failed"
+	WorkflowSucceeded          = "Succeeded"
+	WorkflowTimedOut           = "TimedOut"
+	WorkflowUnableToFetchState = "UnableToFetch"
+	WorkflowTypeDeploy         = "DEPLOY"
+	WorkflowTypePre            = "PRE"
+	WorkflowTypePost           = "POST"
+)
+
+func (a WorkflowStatus) String() string {
+	return [...]string{"WF_UNKNOWN", "REQUEST_ACCEPTED", "ENQUEUED", "QUE_ERROR", "WF_STARTED", "DROPPED_STALE", "DEQUE_ERROR", "TRIGGER_ERROR"}[a]
+}
+
+var ErrorDeploymentSuperseded = errors.New(NEW_DEPLOYMENT_INITIATED)
+
+const (
+	WORKFLOW_EXECUTOR_TYPE_AWF    = "AWF"
+	WORKFLOW_EXECUTOR_TYPE_SYSTEM = "SYSTEM"
+	NEW_DEPLOYMENT_INITIATED      = "A new deployment was initiated before this deployment completed!"
+	PIPELINE_DELETED              = "The pipeline has been deleted!"
+	FOUND_VULNERABILITY           = "Found vulnerability on image"
+	GITOPS_REPO_NOT_CONFIGURED    = "GitOps repository is not configured for the app"
+)
+
+type WorkflowExecutorType string