Merge pull request #6136 from devtron-labs/secret-masking-fix

fix: Secret masking fix

Author: prakash100198

Wire.go

@@ -49,6 +49,7 @@ import (
 	"github.com/devtron-labs/devtron/api/restHandler"
 	"github.com/devtron-labs/devtron/api/restHandler/app/appInfo"
 	appList2 "github.com/devtron-labs/devtron/api/restHandler/app/appList"
+	configDiff2 "github.com/devtron-labs/devtron/api/restHandler/app/configDiff"
 	pipeline3 "github.com/devtron-labs/devtron/api/restHandler/app/pipeline"
 	pipeline2 "github.com/devtron-labs/devtron/api/restHandler/app/pipeline/configure"
 	"github.com/devtron-labs/devtron/api/restHandler/app/pipeline/history"
@@ -61,6 +62,7 @@ import (
 	app3 "github.com/devtron-labs/devtron/api/router/app"
 	appInfo2 "github.com/devtron-labs/devtron/api/router/app/appInfo"
 	"github.com/devtron-labs/devtron/api/router/app/appList"
+	configDiff3 "github.com/devtron-labs/devtron/api/router/app/configDiff"
 	pipeline5 "github.com/devtron-labs/devtron/api/router/app/pipeline"
 	pipeline4 "github.com/devtron-labs/devtron/api/router/app/pipeline/configure"
 	history2 "github.com/devtron-labs/devtron/api/router/app/pipeline/history"
@@ -702,10 +704,10 @@ func InitializeApp() (*App, error) {
 		scopedVariable.NewScopedVariableRestHandlerImpl,
 		wire.Bind(new(scopedVariable.ScopedVariableRestHandler), new(*scopedVariable.ScopedVariableRestHandlerImpl)),
 
-		router.NewDeploymentConfigurationRouter,
-		wire.Bind(new(router.DeploymentConfigurationRouter), new(*router.DeploymentConfigurationRouterImpl)),
-		restHandler.NewDeploymentConfigurationRestHandlerImpl,
-		wire.Bind(new(restHandler.DeploymentConfigurationRestHandler), new(*restHandler.DeploymentConfigurationRestHandlerImpl)),
+		configDiff3.NewDeploymentConfigurationRouter,
+		wire.Bind(new(configDiff3.DeploymentConfigurationRouter), new(*configDiff3.DeploymentConfigurationRouterImpl)),
+		configDiff2.NewDeploymentConfigurationRestHandlerImpl,
+		wire.Bind(new(configDiff2.DeploymentConfigurationRestHandler), new(*configDiff2.DeploymentConfigurationRestHandlerImpl)),
 		configDiff.NewDeploymentConfigurationServiceImpl,
 		wire.Bind(new(configDiff.DeploymentConfigurationService), new(*configDiff.DeploymentConfigurationServiceImpl)),
 

api/restHandler/DeploymentConfigurationRestHandler.go renamed to api/restHandler/app/configDiff/DeploymentConfigurationRestHandler.go

@@ -1,7 +1,8 @@
-package restHandler
+package configDiff
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
@@ -10,6 +11,7 @@ import (
 	"github.com/devtron-labs/devtron/pkg/configDiff/bean"
 	util2 "github.com/devtron-labs/devtron/util"
 	"github.com/devtron-labs/devtron/util/rbac"
+	"github.com/gorilla/mux"
 	"github.com/gorilla/schema"
 	"go.uber.org/zap"
 	"gopkg.in/go-playground/validator.v9"
@@ -20,6 +22,7 @@ import (
 type DeploymentConfigurationRestHandler interface {
 	ConfigAutoComplete(w http.ResponseWriter, r *http.Request)
 	GetConfigData(w http.ResponseWriter, r *http.Request)
+	CompareCategoryWiseConfigData(w http.ResponseWriter, r *http.Request)
 }
 type DeploymentConfigurationRestHandlerImpl struct {
 	logger                         *zap.SugaredLogger
@@ -143,3 +146,69 @@ func getConfigDataQueryParams(r *http.Request) (*bean.ConfigDataQueryParams, err
 
 	return &queryParams, nil
 }
+
+func (handler *DeploymentConfigurationRestHandlerImpl) CompareCategoryWiseConfigData(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userAuthService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	vars := mux.Vars(r)
+	configCategory := vars["resource"]
+
+	v := r.URL.Query()
+	comparisonReqString := v.Get("compareConfig")
+	var comparisonRequestDto bean.ComparisonRequestDto
+	err = json.Unmarshal([]byte(comparisonReqString), &comparisonRequestDto)
+	if err != nil {
+		handler.logger.Errorw("error in unmarshalling stringified json query param", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	err = validateComparisonRequest(configCategory, comparisonRequestDto)
+	if err != nil {
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	comparisonRequestDto.UpdateUserIdInComparisonItems(userId)
+	appName := comparisonRequestDto.GetAppName()
+
+	//RBAC START
+	token := r.Header.Get(common.TokenHeaderKey)
+	object := handler.enforcerUtil.GetAppRBACName(appName)
+
+	ok := handler.enforcerUtil.CheckAppRbacForAppOrJob(token, object, casbin.ActionGet)
+	if !ok {
+		common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), nil, http.StatusForbidden)
+		return
+	}
+	//RBAC END
+	//isSuperAdmin is required to make decision if a sensitive data(as defined by super admin) needs to be redacted
+	//or not while resolving scope variable.
+	isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
+	//userHasAdminAccess is required to mask secrets in the response after scope resolution.
+	userHasAdminAccess := handler.checkIfUserHasAdminAccessForLeastPrivilegeEnv(token, comparisonRequestDto)
+
+	ctx := util2.SetSuperAdminInContext(r.Context(), isSuperAdmin)
+	res, err := handler.deploymentConfigurationService.CompareCategoryWiseConfigData(ctx, comparisonRequestDto, userHasAdminAccess)
+	if err != nil {
+		handler.logger.Errorw("service err, CompareCategoryWiseConfigData ", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+
+	common.WriteJsonResp(w, nil, res, http.StatusOK)
+}
+
+// checkIfUserHasAdminAccessForLeastPrivilegeEnv computes if a user has admin access or not for all env,
+// if a user is non admin for at least one env then return false.
+func (handler *DeploymentConfigurationRestHandlerImpl) checkIfUserHasAdminAccessForLeastPrivilegeEnv(token string, comparisonRequestDto bean.ComparisonRequestDto) bool {
+	for _, item := range comparisonRequestDto.ComparisonItems {
+		userHadAdminAccess := handler.enforcer.Enforce(token, casbin.ResourceEnvironment, casbin.ActionGet, item.EnvName)
+		if !userHadAdminAccess {
+			return false
+		}
+	}
+	return true
+}

api/restHandler/app/configDiff/utils.go

@@ -0,0 +1,26 @@
+package configDiff
+
+import (
+	"errors"
+	"github.com/devtron-labs/devtron/pkg/configDiff/bean"
+)
+
+var validConfigCategories = map[string]bool{bean.Secret.ToString(): true, bean.ConfigMap.ToString(): true, bean.DeploymentTemplate.ToString(): true, bean.PipelineStrategy.ToString(): true}
+var ErrInvalidConfigCategory = errors.New("invalid config category provided")
+var ErrInvalidComparisonItems = errors.New("invalid comparison items, only 2 items are supported for comparison")
+var ErrInvalidIndexValInComparisonItems = errors.New("invalid index values in comparison items")
+
+func validateComparisonRequest(configCategory string, comparisonRequestDto bean.ComparisonRequestDto) error {
+	if ok := validConfigCategories[configCategory]; !ok {
+		return ErrInvalidConfigCategory
+	}
+	// comparison items expects exactly two items
+	if len(comparisonRequestDto.ComparisonItems) != 2 {
+		return ErrInvalidComparisonItems
+	}
+	// if index value is other than 0 or 1 then throw invalid index error
+	if len(comparisonRequestDto.ComparisonItems) > 1 && (comparisonRequestDto.ComparisonItems[0].Index != 0 && comparisonRequestDto.ComparisonItems[1].Index != 1) {
+		return ErrInvalidIndexValInComparisonItems
+	}
+	return nil
+}

api/router/DeploymentConfigRouter.go renamed to api/router/app/configDiff/DeploymentConfigRouter.go

@@ -1,31 +1,34 @@
-package router
+package configDiff
 
 import (
-	"github.com/devtron-labs/devtron/api/restHandler"
+	"github.com/devtron-labs/devtron/api/restHandler/app/configDiff"
 	"github.com/gorilla/mux"
 )
 
 type DeploymentConfigurationRouter interface {
-	initDeploymentConfigurationRouter(configRouter *mux.Router)
+	InitDeploymentConfigurationRouter(configRouter *mux.Router)
 }
 
 type DeploymentConfigurationRouterImpl struct {
-	deploymentGroupRestHandler restHandler.DeploymentConfigurationRestHandler
+	deploymentGroupRestHandler configDiff.DeploymentConfigurationRestHandler
 }
 
-func NewDeploymentConfigurationRouter(deploymentGroupRestHandler restHandler.DeploymentConfigurationRestHandler) *DeploymentConfigurationRouterImpl {
+func NewDeploymentConfigurationRouter(deploymentGroupRestHandler configDiff.DeploymentConfigurationRestHandler) *DeploymentConfigurationRouterImpl {
 	router := &DeploymentConfigurationRouterImpl{
 		deploymentGroupRestHandler: deploymentGroupRestHandler,
 	}
 	return router
 }
 
-func (router DeploymentConfigurationRouterImpl) initDeploymentConfigurationRouter(configRouter *mux.Router) {
+func (router DeploymentConfigurationRouterImpl) InitDeploymentConfigurationRouter(configRouter *mux.Router) {
 	configRouter.Path("/autocomplete").
 		HandlerFunc(router.deploymentGroupRestHandler.ConfigAutoComplete).
 		Methods("GET")
 	configRouter.Path("/data").
 		HandlerFunc(router.deploymentGroupRestHandler.GetConfigData).
 		Methods("GET")
+	configRouter.Path("/compare/{resource}").
+		HandlerFunc(router.deploymentGroupRestHandler.CompareCategoryWiseConfigData).
+		Methods("GET")
 
 }

api/router/router.go

@@ -39,6 +39,7 @@ import (
 	"github.com/devtron-labs/devtron/api/module"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	"github.com/devtron-labs/devtron/api/router/app"
+	"github.com/devtron-labs/devtron/api/router/app/configDiff"
 	"github.com/devtron-labs/devtron/api/server"
 	"github.com/devtron-labs/devtron/api/team"
 	terminal2 "github.com/devtron-labs/devtron/api/terminal"
@@ -114,7 +115,7 @@ type MuxRouter struct {
 	rbacRoleRouter                     user.RbacRoleRouter
 	scopedVariableRouter               ScopedVariableRouter
 	ciTriggerCron                      cron.CiTriggerCron
-	deploymentConfigurationRouter      DeploymentConfigurationRouter
+	deploymentConfigurationRouter      configDiff.DeploymentConfigurationRouter
 	infraConfigRouter                  infraConfig.InfraConfigRouter
 	argoApplicationRouter              argoApplication.ArgoApplicationRouter
 	fluxApplicationRouter              fluxApplication2.FluxApplicationRouter
@@ -147,12 +148,12 @@ func NewMuxRouter(logger *zap.SugaredLogger,
 	scopedVariableRouter ScopedVariableRouter,
 	ciTriggerCron cron.CiTriggerCron,
 	proxyRouter proxy.ProxyRouter,
-	deploymentConfigurationRouter DeploymentConfigurationRouter,
+	deploymentConfigurationRouter configDiff.DeploymentConfigurationRouter,
 	infraConfigRouter infraConfig.InfraConfigRouter,
 	argoApplicationRouter argoApplication.ArgoApplicationRouter,
 	devtronResourceRouter devtronResource.DevtronResourceRouter,
 	fluxApplicationRouter fluxApplication2.FluxApplicationRouter,
-	) *MuxRouter {
+) *MuxRouter {
 	r := &MuxRouter{
 		Router:                             mux.NewRouter(),
 		EnvironmentClusterMappingsRouter:   EnvironmentClusterMappingsRouter,
@@ -298,7 +299,7 @@ func (r MuxRouter) Init() {
 
 	configRouter := r.Router.PathPrefix("/orchestrator/config").Subrouter()
 	r.ConfigMapRouter.initConfigMapRouter(configRouter)
-	r.deploymentConfigurationRouter.initDeploymentConfigurationRouter(configRouter)
+	r.deploymentConfigurationRouter.InitDeploymentConfigurationRouter(configRouter)
 
 	appStoreRouter := r.Router.PathPrefix("/orchestrator/app-store").Subrouter()
 	r.AppStoreRouter.Init(appStoreRouter)

internal/sql/repository/pipelineConfig/CdWorfkflowRepository.go

@@ -79,6 +79,7 @@ type CdWorkflowRepository interface {
 
 	MigrateIsArtifactUploaded(wfrId int, isArtifactUploaded bool)
 	MigrateCdArtifactLocation(wfrId int, cdArtifactLocation string)
+	FindDeployedCdWorkflowRunnersByPipelineId(pipelineId int) ([]*CdWorkflowRunner, error)
 }
 
 type CdWorkflowRepositoryImpl struct {
@@ -761,3 +762,19 @@ func (impl *CdWorkflowRepositoryImpl) MigrateCdArtifactLocation(wfrId int, cdArt
 		impl.logger.Errorw("error in updating cd artifact location", "wfrId", wfrId, "err", err)
 	}
 }
+
+func (impl *CdWorkflowRepositoryImpl) FindDeployedCdWorkflowRunnersByPipelineId(pipelineId int) ([]*CdWorkflowRunner, error) {
+	var runners []*CdWorkflowRunner
+	err := impl.dbConnection.
+		Model(&runners).
+		Column("cd_workflow_runner.*", "CdWorkflow").
+		Where("cd_workflow.pipeline_id = ?", pipelineId).
+		Where("workflow_type = ? ", apiBean.CD_WORKFLOW_TYPE_DEPLOY).
+		Order("cd_workflow_runner.id").
+		Select()
+	if err != nil {
+		impl.logger.Errorw("error in finding previous co workflow runners by pipeline id ", "pipelineId", pipelineId, "err", err)
+		return nil, err
+	}
+	return runners, nil
+}