fix: enforce app create/update privileges when getting repo details

[jessesuen]

When getting repo details for an app, we will now require the user to specify both the project + app name for which it wants to create it or update. This ensures that we only return details about the repo if the user has permission to create/update the app.

Signed-off-by: Jesse Suen jesse@akuity.io

[codecov]

Codecov Report

Merging #8558 (9ba37cb) into master (53090f1) will increase coverage by 0.19%.
The diff coverage is 90.24%.

@@            Coverage Diff             @@
##           master    #8558      +/-   ##
==========================================
+ Coverage   42.41%   42.60%   +0.19%     
==========================================
  Files         176      176              
  Lines       22904    22941      +37     
==========================================
+ Hits         9714     9774      +60     
+ Misses      11804    11770      -34     
- Partials     1386     1397      +11     

Impacted Files	Coverage Δ
server/repository/repository.go	52.44% <89.74%> (+16.04%)	⬆️
server/server.go	55.41% <100.00%> (+0.08%)	⬆️
util/settings/settings.go	47.91% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 53090f1...9ba37cb. Read the comment docs.

[jessesuen]

@alexmt I brought the ProjectLister into the repositories grpc server and it now verifies permitted sources when returning repo details.

[alexmt]

Just so we don't forget: as we discussed offlinethe same projection is required for POST /appdetails API.

[jannfis]

Is this a potentially breaking change in the API, when previously it was not required to specify both app name and app project? Can't we infer the project from the application's .spec.project field?

[jessesuen]

Is this a potentially breaking change in the API, when previously it was not required to specify both app name and app project? Can't we infer the project from the application's .spec.project field?

Yes, it is a breaking change. That said, since this is a UI-only endpoint, they would only need to refresh the page in their browser and that would fix the issue.

Can't we infer the project from the application's .spec.project field?

We can only do this if the app exists, but not when this endpoint is called during app creation, which is what we also need to fix. In the case where app already exists, I do have a check to make sure the supplied project in the request matches app.spec.project and returns permission denied if they mismatch.

[jannfis]

Yes, it is a breaking change. That said, since this is a UI-only endpoint, they would only need to refresh the page in their browser and that would fix the issue.

I'm not quite sure if I go along the notation of UI only endpoints. It's in the public part of the API, potentially used by people who build their own UI for Argo CD (or use the endpoint otherwise from their clients).

Anyhow, I think this change justifies the breakage. IMHO, we should point it out in the release notes that there has been a small breaking change without alternative to being breaking, and users consuming this API endpoint for whatever reason need to adapt their clients.

[jannfis]

LGTM

[alexmt]

Great catch. I totally forgot about sync history use case.

[alexmt]

LGTM. I agree security patch is good justification for a breaking API change.

[crenshaw-dev]

LGTM!