Merge pull request #6103 from devtron-labs/image-scan

vikramdevtron · web-flow · commit c0f82e9845de · 2024-11-18T16:26:07.000+05:30
chore: implemented Rbac enforcer in batch
diff --git a/api/restHandler/ImageScanRestHandler.go b/api/restHandler/ImageScanRestHandler.go
@@ -34,6 +34,12 @@ import (
 	"go.uber.org/zap"
 )
 
+const (
+	ObjectTypeApp   = "app"
+	ObjectTypeChart = "chart"
+	ObjectTypePod   = "pod"
+)
+
 type ImageScanRestHandler interface {
 	ScanExecutionList(w http.ResponseWriter, r *http.Request)
 	FetchExecutionDetail(w http.ResponseWriter, r *http.Request)
@@ -90,37 +96,72 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 		}
 		return
 	}
+
 	token := r.Header.Get("token")
 	var ids []int
+	var appRBACObjects []string
+	var envRBACObjects []string
+	var podRBACObjects []string
+	podRBACMap := make(map[string]int)
+
+	IdToAppEnvPairs := make(map[int][2]int)
 	for _, item := range deployInfoList {
-		if item.ScanObjectMetaId > 0 && (item.ObjectType == "app" || item.ObjectType == "chart") {
-			object := impl.enforcerUtil.GetAppRBACNameByAppId(item.ScanObjectMetaId)
-			if ok := impl.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionGet, object); !ok {
-				common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
-				return
+		if item.ScanObjectMetaId > 0 && (item.ObjectType == ObjectTypeApp || item.ObjectType == ObjectTypeChart) {
+			IdToAppEnvPairs[item.Id] = [2]int{item.ScanObjectMetaId, item.EnvId}
+		}
+	}
+
+	appObjects, envObjects, appIdtoApp, envIdToEnv, err := impl.enforcerUtil.GetAppAndEnvRBACNamesByAppAndEnvIds(IdToAppEnvPairs)
+	if err != nil {
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+
+	for _, item := range deployInfoList {
+		if item.ScanObjectMetaId > 0 && (item.ObjectType == ObjectTypeApp || item.ObjectType == ObjectTypeChart) {
+			appObject := appObjects[item.Id]
+			envObject := envObjects[item.Id]
+			if appObject != "" {
+				appRBACObjects = append(appRBACObjects, appObject)
 			}
-			object = impl.enforcerUtil.GetEnvRBACNameByAppId(item.ScanObjectMetaId, item.EnvId)
-			if ok := impl.enforcer.Enforce(token, casbin.ResourceEnvironment, casbin.ActionGet, object); ok {
-				ids = append(ids, item.Id)
+			if envObject != "" {
+				envRBACObjects = append(envRBACObjects, envObject)
 			}
-		} else if item.ScanObjectMetaId > 0 && (item.ObjectType == "pod") {
+		} else if item.ScanObjectMetaId > 0 && (item.ObjectType == ObjectTypePod) {
 			environments, err := impl.environmentService.GetByClusterId(item.ClusterId)
 			if err != nil {
 				common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 				return
 			}
-			pass := false
 			for _, environment := range environments {
-				if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobalEnvironment, casbin.ActionGet, environment.EnvironmentIdentifier); ok {
-					pass = true
-					continue
-				}
+				podObject := environment.EnvironmentIdentifier
+				podRBACObjects = append(podRBACObjects, podObject)
+				podRBACMap[podObject] = item.Id
 			}
-			if pass {
-				ids = append(ids, item.Id)
+		}
+	}
+
+	appResults := impl.enforcer.EnforceInBatch(token, casbin.ResourceApplications, casbin.ActionGet, appRBACObjects)
+	envResults := impl.enforcer.EnforceInBatch(token, casbin.ResourceEnvironment, casbin.ActionGet, envRBACObjects)
+	podResults := impl.enforcer.EnforceInBatch(token, casbin.ResourceGlobalEnvironment, casbin.ActionGet, podRBACObjects)
+
+	for _, item := range deployInfoList {
+		if impl.enforcerUtil.IsAuthorizedForAppInAppResults(item.ScanObjectMetaId, appResults, appIdtoApp) && impl.enforcerUtil.IsAuthorizedForEnvInEnvResults(item.ScanObjectMetaId, item.EnvId, envResults, appIdtoApp, envIdToEnv) {
+			ids = append(ids, item.Id)
+		}
+	}
+	for podObject, authorized := range podResults {
+		if authorized {
+			if itemId, exists := podRBACMap[podObject]; exists {
+				ids = append(ids, itemId)
 			}
 		}
-		// skip for pod
+	}
+
+	if ids == nil || len(ids) == 0 {
+		responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+		common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+		return
 	}
 
 	results, err := impl.imageScanService.FetchScanExecutionListing(request, ids)
diff --git a/internal/sql/repository/app/AppRepository.go b/internal/sql/repository/app/AppRepository.go
@@ -74,6 +74,7 @@ type AppRepository interface {
 	FindByIds(ids []*int) ([]*App, error)
 	FetchAppsByFilterV2(appNameIncludes string, appNameExcludes string, environmentId int) ([]*App, error)
 	FindAppAndProjectByAppId(appId int) (*App, error)
+	FindAppAndProjectByAppIds(appIds []*int) ([]*App, error)
 	FindAppAndProjectByAppName(appName string) (*App, error)
 	GetConnection() *pg.DB
 	FindAllMatchesByAppName(appName string, appType helper.AppType) ([]*App, error)
@@ -181,6 +182,19 @@ func (repo AppRepositoryImpl) FindJobByDisplayName(appName string) (*App, error)
 	return pipelineGroup, err
 }
 
+func (repo AppRepositoryImpl) FindAppAndProjectByAppIds(appIds []*int) ([]*App, error) {
+	var apps []*App
+	if len(appIds) == 0 {
+		return apps, nil
+	}
+
+	err := repo.dbConnection.Model(&apps).Column("Team").
+		Where("app.id in (?)", pg.In(appIds)).
+		Where("app.active=?", true).
+		Select()
+	return apps, err
+}
+
 func (repo AppRepositoryImpl) FindActiveListByName(appName string) ([]*App, error) {
 	var apps []*App
 	err := repo.dbConnection.
diff --git a/util/rbac/EnforcerUtil.go b/util/rbac/EnforcerUtil.go
@@ -37,6 +37,9 @@ import (
 )
 
 type EnforcerUtil interface {
+	GetAppAndEnvRBACNamesByAppAndEnvIds(IdToAppEnvPairs map[int][2]int) (map[int]string, map[int]string, map[int]*app.App, map[int]*repository.Environment, error)
+	IsAuthorizedForAppInAppResults(appId int, rbacResults map[string]bool, appIdtoApp map[int]*app.App) bool
+	IsAuthorizedForEnvInEnvResults(appId int, envId int, appResults map[string]bool, appIdtoApp map[int]*app.App, envIdToEnv map[int]*repository.Environment) bool
 	GetAppRBACName(appName string) string
 	GetRbacObjectsForAllApps(appType helper.AppType) map[int]string
 	GetRbacObjectsForAllAppsWithTeamID(teamID int, appType helper.AppType) map[int]string
@@ -111,6 +114,87 @@ func NewEnforcerUtilImpl(logger *zap.SugaredLogger, teamRepository team.TeamRepo
 	}
 }
 
+func (impl EnforcerUtilImpl) IsAuthorizedForAppInAppResults(appId int, rbacResults map[string]bool, appIdtoApp map[int]*app.App) bool {
+	app, appExists := appIdtoApp[appId]
+	if !appExists {
+		return false
+	}
+
+	appObject := fmt.Sprintf("%s/%s", app.Team.Name, app.AppName)
+	if authorized, exists := rbacResults[appObject]; exists && authorized {
+		return true
+	}
+	return false
+}
+
+func (impl EnforcerUtilImpl) IsAuthorizedForEnvInEnvResults(appId int, envId int, rbacResults map[string]bool, appIdtoApp map[int]*app.App, envIdToEnv map[int]*repository.Environment) bool {
+	app, appExists := appIdtoApp[appId]
+	if !appExists {
+		return false
+	}
+	env, envExists := envIdToEnv[envId]
+	if !envExists {
+		return false
+	}
+
+	envObject := fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, app.AppName)
+	if authorized, exists := rbacResults[envObject]; exists && authorized {
+		return true
+	}
+	return false
+}
+
+func (impl EnforcerUtilImpl) GetAppAndEnvRBACNamesByAppAndEnvIds(appEnvPairs map[int][2]int) (map[int]string, map[int]string, map[int]*app.App, map[int]*repository.Environment, error) {
+	appObjects := make(map[int]string)
+	envObjects := make(map[int]string)
+
+	appIds := make([]*int, 0, len(appEnvPairs))
+	envIds := make([]*int, 0, len(appEnvPairs))
+	for _, pair := range appEnvPairs {
+		appId := pair[0]
+		envId := pair[1]
+		appIds = append(appIds, &appId)
+		envIds = append(envIds, &envId)
+	}
+	appIdToAppMap := make(map[int]*app.App)
+	envIdToEnvMap := make(map[int]*repository.Environment)
+	applications, err := impl.appRepo.FindAppAndProjectByAppIds(appIds)
+
+	if err != nil {
+		return nil, nil, appIdToAppMap, envIdToEnvMap, err
+	}
+
+	for _, app := range applications {
+		appIdToAppMap[app.Id] = app
+	}
+
+	environments, err := impl.environmentRepository.FindByIds(envIds)
+	if err != nil {
+		return nil, nil, appIdToAppMap, envIdToEnvMap, err
+	}
+
+	for _, env := range environments {
+		envIdToEnvMap[env.Id] = env
+	}
+
+	for id, pair := range appEnvPairs {
+		appId := pair[0]
+		envId := pair[1]
+		// check if app and env exists
+		// handling for deleted app and env
+		if _, ok := appIdToAppMap[appId]; !ok {
+			continue
+		}
+		if _, ok := envIdToEnvMap[envId]; !ok {
+			continue
+		}
+		appObjects[id] = fmt.Sprintf("%s/%s", appIdToAppMap[appId].Team.Name, appIdToAppMap[appId].AppName)
+		envObjects[id] = fmt.Sprintf("%s/%s", envIdToEnvMap[envId].EnvironmentIdentifier, appIdToAppMap[appId].AppName)
+	}
+
+	return appObjects, envObjects, appIdToAppMap, envIdToEnvMap, nil
+}
+
 func (impl EnforcerUtilImpl) GetRbacObjectsByEnvIdsAndAppId(envIds []int, appId int) (map[int]string, map[string]string) {
 
 	objects := make(map[int]string)
