Make directory enforcer more lenient and add flag

[simster7]

Fixes: #2715 and updates change in #2452. Adds a new argo-cd-cm flag (helm.directoryEnforcerLevel) to set Directory Enforcer level. Supported values are:

• Strict: only allows access to files within the directory containing Chart.yaml
• Repo (default): allows access to files within the entire repo

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Optional. My organization is added to the README.
• I've signed the CLA and my build is green (troubleshooting builds).

[simster7]

@jannfis @wecger @adamjohnson01 If possible, could you guys download and build this branch and see if the fix works as you would expect? The default behavior is to permit all files within a repo.

[codecov]

Codecov Report

Merging #2716 into master will increase coverage by 0.04%.
The diff coverage is 86.66%.

@@            Coverage Diff             @@
##           master    #2716      +/-   ##
==========================================
+ Coverage   38.38%   38.42%   +0.04%     
==========================================
  Files         156      156              
  Lines       17292    17310      +18     
  Branches      203      203              
==========================================
+ Hits         6638     6652      +14     
- Misses       9831     9833       +2     
- Partials      823      825       +2

Impacted Files	Coverage Δ
util/settings/settings.go	30.89% <100%> (+0.25%)	⬆️
util/security/path_traversal.go	81.48% <100%> (+10.89%)	⬆️
util/helm/cmd.go	40.56% <100%> (-2.42%)	⬇️
reposerver/repository/repository.go	59.88% <75%> (-0.08%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 257c276...80a5ac2. Read the comment docs.

[simster7]

@jannfis @wecger @adamjohnson01 If possible, could you guys download and build this branch and see if the fix works as you would expect? The default behavior is to permit all files within a repo.

@jannfis @wecger @adamjohnson01 Hope you guys don't mind if I try you one more time :)

[jannfis]

Sorry for the late reply @simster7 and also thanks for the quick PR - unfortunately, We didn't find the time to build from that branch yet, as we're pretty busy with other topics. I'll see if I find time over the weekend to test it out and let you know any feedback.

[simster7]

@alexec This could potentially need to be backported.

[jannfis]

Still not built & tested, but reviewed the change. I just have some minor comments, please check.

[alexec]

IMHO for app where repo type is Git (as opposed to Helm) you should be able to read any file within the repo. No need for options.

[simster7]

@alexec Sure, I can remove the option functionality. Since it's already implemented though, we could leave it in? Doesn't seem like it would hurt

[alexec]

I'd prefer to not have extra code to maintain TBH.

[simster7]

@alexec Removed the enforcer level option

[simster7]

Ditto

[simster7]

@alexec Ready for another look

[alexec]

Looks good so far. Can we allow URLs please?

[alexec]

Please dismiss and re-request review when ready - so it appears in my notifications.

[alexec]

LGTM

[wecger]

built, deployed and tested this branch on our env. Using value files from outside the chart folder, but inside the repo worked fine for me :)