Merge branch 'main' into develop-main-sync-4jun-1

Author: kartik-579

App.go

@@ -56,6 +56,7 @@ type App struct {
 	server        *http.Server
 	db            *pg.DB
 	posthogClient *posthogTelemetry.PosthogClient
+	userService   user.UserService
 	// eventProcessor.CentralEventProcessor is used to register event processors
 	centralEventProcessor *eventProcessor.CentralEventProcessor // do not remove this.
 	// used for local dev only
@@ -79,6 +80,7 @@ func NewApp(router *router.MuxRouter,
 	pubSubClient *pubsub.PubSubClientServiceImpl,
 	workflowEventProcessorImpl *in.WorkflowEventProcessorImpl,
 	enforcerV2 *casbinv2.SyncedEnforcer,
+	userService user.UserService,
 ) *App {
 	//check argo connection
 	//todo - check argo-cd version on acd integration installation
@@ -97,6 +99,7 @@ func NewApp(router *router.MuxRouter,
 		centralEventProcessor:      centralEventProcessor,
 		pubSubClient:               pubSubClient,
 		workflowEventProcessorImpl: workflowEventProcessorImpl,
+		userService:                userService,
 	}
 	return app
 }
@@ -112,7 +115,7 @@ func (app *App) Start() {
 	app.MuxRouter.Init()
 	//authEnforcer := casbin2.Create()
 
-	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager2, user.WhitelistChecker, nil)(app.MuxRouter.Router)}
+	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager2, user.WhitelistChecker, app.userService.CheckUserStatusAndUpdateLoginAudit)(app.MuxRouter.Router)}
 	app.MuxRouter.Router.Use(app.loggingMiddleware.LoggingMiddleware)
 	app.MuxRouter.Router.Use(middleware.PrometheusMiddleware)
 	app.MuxRouter.Router.Use(middlewares.Recovery)

cmd/external-app/externalApp.go

@@ -42,21 +42,24 @@ type App struct {
 	server         *http.Server
 	telemetry      telemetry.TelemetryEventClient
 	posthogClient  *posthogTelemetry.PosthogClient
+	userService    user.UserService
 }
 
 func NewApp(db *pg.DB,
 	sessionManager *authMiddleware.SessionManager,
 	MuxRouter *MuxRouter,
 	telemetry telemetry.TelemetryEventClient,
 	posthogClient *posthogTelemetry.PosthogClient,
-	Logger *zap.SugaredLogger) *App {
+	Logger *zap.SugaredLogger,
+	userService user.UserService) *App {
 	return &App{
 		db:             db,
 		sessionManager: sessionManager,
 		MuxRouter:      MuxRouter,
 		Logger:         Logger,
 		telemetry:      telemetry,
 		posthogClient:  posthogClient,
+		userService:    userService,
 	}
 }
 func (app *App) Start() {
@@ -73,7 +76,7 @@ func (app *App) Start() {
 	if err != nil {
 		app.Logger.Warnw("telemetry installation success event failed", "err", err)
 	}
-	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager, user.WhitelistChecker, nil)(app.MuxRouter.Router)}
+	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager, user.WhitelistChecker, app.userService.CheckUserStatusAndUpdateLoginAudit)(app.MuxRouter.Router)}
 	app.MuxRouter.Router.Use(middleware.PrometheusMiddleware)
 	app.MuxRouter.Router.Use(middlewares.Recovery)
 	app.server = server

cmd/external-app/wire_gen.go

@@ -307,8 +307,8 @@ require (
 
 replace (
 	github.com/argoproj/argo-workflows/v3 v3.5.13 => github.com/devtron-labs/argo-workflows/v3 v3.5.13
-	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250602065932-06089729a1c2
-	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250602065932-06089729a1c2
+	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250604112749-a4fc904430f9
+	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250604112749-a4fc904430f9
 	github.com/go-check/check => github.com/go-check/check v0.0.0-20180628173108-788fd7840127
 	github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.5.5
 	k8s.io/api => k8s.io/api v0.29.7

go.mod

@@ -829,10 +829,10 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc h1:VRRKCwnzq
 github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13 h1:3pINq0gXOSeTw2z/vYe+j80lRpSN5Rp/8mfQORh8SmU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13/go.mod h1:/vqxcovDPT4zqr4DjR5v7CF8ggpY1l3TSa2CIG3jmjA=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250602065932-06089729a1c2 h1:X0pXpqQrEEt+aXck0WTTokdNs0RfTVufotoATL10shw=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250602065932-06089729a1c2/go.mod h1:FfaLDXN1ZXxyRpnskBqVIYkpkWDCzBmDgIO9xqLnxdQ=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250602065932-06089729a1c2 h1:1uzqPQQvbQVyip6UU/YN8pYwjQOD8K8rEmql7HrrsBk=
-github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250602065932-06089729a1c2/go.mod h1:HQVUnQI7WHwVq89Bib/18xJqM89S1+xI0O7REctMMrA=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250604112749-a4fc904430f9 h1:OFZ1AMLSm428qw/IXXUK4sKcsIiUbmYTxhBZBzouau0=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250604112749-a4fc904430f9/go.mod h1:FfaLDXN1ZXxyRpnskBqVIYkpkWDCzBmDgIO9xqLnxdQ=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250604112749-a4fc904430f9 h1:VVTeMCYeQqPVxP+f5nKhY/C24n7RwbxZQgfQTQijZPs=
+github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250604112749-a4fc904430f9/go.mod h1:HQVUnQI7WHwVq89Bib/18xJqM89S1+xI0O7REctMMrA=
 github.com/devtron-labs/go-bitbucket v0.9.60-beta h1:VEx1jvDgdtDPS6A1uUFoaEi0l1/oLhbr+90xOwr6sDU=
 github.com/devtron-labs/go-bitbucket v0.9.60-beta/go.mod h1:GnuiCesvh8xyHeMCb+twm8lBR/kQzJYSKL28ZfObp1Y=
 github.com/devtron-labs/protos v0.0.3-0.20250323220609-ecf8a0f7305e h1:U6UdYbW8a7xn5IzFPd8cywjVVPfutGJCudjePAfL/Hs=

go.sum

@@ -607,6 +607,10 @@ func (impl AppWorkflowServiceImpl) FindAppWorkflowsByEnvironmentId(request resou
 	}
 	appResults, envResults := request.CheckAuthBatch(token, appObjectArr, envObjectArr)
 	for _, pipeline := range pipelines {
+		if _, ok := objects[pipeline.Id]; !ok {
+			impl.Logger.Warnw("pipeline not found in objects map", "pipelineId", pipeline.Id)
+			continue
+		}
 		appObject := objects[pipeline.Id][0]
 		envObject := objects[pipeline.Id][1]
 		if !(appResults[appObject] && envResults[envObject]) {

pkg/appWorkflow/AppWorkflowService.go

@@ -126,20 +126,15 @@ func (impl *UserSelfRegistrationServiceImpl) CheckAndCreateUserIfConfigured(clai
 		emailId = sub
 	}
 	exists := impl.userService.UserExists(emailId)
-	var id int32
 	if !exists {
 		impl.logger.Infow("self registering user,  ", "email", emailId)
 		user, err := impl.SelfRegister(emailId)
 		if err != nil {
 			impl.logger.Errorw("error while register user", "error", err)
 		} else if user != nil && user.Id > 0 {
-			id = user.Id
 			exists = true
 		}
 	}
-	if exists {
-		impl.userService.SaveLoginAudit(emailId, "localhost", id)
-	}
 	impl.logger.Infow("user status", "email", emailId, "status", exists)
 	return exists
 }

pkg/auth/user/UserSelfRegistrationService.go

@@ -86,6 +86,7 @@ type UserService interface {
 	GetRoleFiltersByUserRoleGroups(userRoleGroups []userBean.UserRoleGroup) ([]userBean.RoleFilter, error)
 	SaveLoginAudit(emailId, clientIp string, id int32)
 	CheckIfTokenIsValid(email string, version string) error
+	CheckUserStatusAndUpdateLoginAudit(token string) (bool, int32, string, error)
 }
 
 type UserServiceImpl struct {
@@ -1826,3 +1827,34 @@ func (impl *UserServiceImpl) GetUserBasicDataByEmailId(emailId string) (*userBea
 	}
 	return response, nil
 }
+
+func (impl *UserServiceImpl) CheckUserStatusAndUpdateLoginAudit(token string) (bool, int32, string, error) {
+	emailId, version, err := impl.GetEmailAndVersionFromToken(token)
+	if err != nil {
+		impl.logger.Error("unable to fetch user by token")
+		err = &util.ApiError{HttpStatusCode: 401, UserMessage: "Invalid User", InternalMessage: "unable to fetch user by token"}
+		return false, 0, "", err
+	}
+	userId, isInactive, err := impl.getUserWithTimeoutWindowConfiguration(emailId)
+	if err != nil {
+		err = &util.ApiError{HttpStatusCode: 401, UserMessage: "Invalid User", InternalMessage: err.Error()}
+		impl.logger.Errorw("unable to fetch user by email, %s", token)
+		return isInactive, userId, "", err
+	}
+	//if user is inactive, no need to store audit log
+	if !isInactive {
+		impl.SaveLoginAudit(emailId, "localhost", userId)
+	}
+	// checking length of version, to ensure backward compatibility as earlier we did not
+	// have version for api-tokens
+	// therefore, for tokens without version we will skip the below part
+	if strings.HasPrefix(emailId, userBean.API_TOKEN_USER_EMAIL_PREFIX) && len(version) > 0 {
+		err := impl.CheckIfTokenIsValid(emailId, version)
+		if err != nil {
+			impl.logger.Errorw("token is not valid", "error", err, "token", token)
+			return isInactive, userId, "", err
+		}
+	}
+
+	return isInactive, userId, emailId, nil
+}

pkg/auth/user/UserService.go

@@ -8,6 +8,7 @@ import (
 	userBean "github.com/devtron-labs/devtron/pkg/auth/user/bean"
 	userrepo "github.com/devtron-labs/devtron/pkg/auth/user/repository"
 	"github.com/go-pg/pg"
+	"github.com/juju/errors"
 	"strings"
 )
 
@@ -204,3 +205,14 @@ func (impl *UserServiceImpl) checkValidationAndPerformOperationsForUpdate(token
 	}
 	return false, isUserSuperAdmin, nil
 }
+
+func (impl *UserServiceImpl) getUserWithTimeoutWindowConfiguration(emailId string) (int32, bool, error) {
+	user, err := impl.userRepository.FetchActiveUserByEmail(emailId)
+	if err != nil {
+		impl.logger.Errorw("error while fetching user from db", "error", err)
+		errMsg := fmt.Sprintf("failed to fetch user by email id, err: %s", err.Error())
+		return 0, false, errors.New(errMsg)
+	}
+	// here false is always returned to match signature of authoriser function.
+	return user.Id, false, nil
+}

pkg/auth/user/UserService_ent.go

@@ -1336,6 +1336,13 @@ func (impl BulkUpdateServiceImpl) BulkDeploy(request *bean4.BulkApplicationForEn
 			pResponse[pipelineKey] = false
 			response[appKey] = pResponse
 		}
+		if _, ok := objects[pipeline.Id]; !ok {
+			//if user unauthorized, skip items
+			pipelineResponse := response[appKey]
+			pipelineResponse[pipelineKey] = false
+			response[appKey] = pipelineResponse
+			continue
+		}
 		appObject := objects[pipeline.Id][0]
 		envObject := objects[pipeline.Id][1]
 		if !(appResults[appObject] && envResults[envObject]) {