Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Helm Apps permissions do not allow Terminal or Logs view #4110

Merged
merged 13 commits into from
Oct 20, 2023
Merged

fix: Helm Apps permissions do not allow Terminal or Logs view #4110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
7418f2b
check for active ci_pipeline_material
Ashish-devtron Oct 11, 2023
78b844f
t checkout ci-pipeMerge branch 'main' of github.com:devtron-labs/devtron
Ashish-devtron Oct 11, 2023
2b0ca95
Merge branch 'main' of github.com:devtron-labs/devtron
Ashish-devtron Oct 12, 2023
f7ce0ff
Merge branch 'main' of github.com:devtron-labs/devtron
Ashish-devtron Oct 12, 2023
7a9a8a9
Merge branch 'main' of github.com:devtron-labs/devtron
Ashish-devtron Oct 13, 2023
3b0ac36
Merge branch 'main' of github.com:devtron-labs/devtron
Ashish-devtron Oct 17, 2023
1ee9d51
lowercase project name before rbac check
Ashish-devtron Oct 17, 2023
28b94d0
lowercase resourceItem before rbac enforcing
Ashish-devtron Oct 17, 2023
6ef143a
lowercase resourceItem before rbac enforcing
Ashish-devtron Oct 17, 2023
b5a5cfc
lowercase resourceItem before rbac enforcing
Ashish-devtron Oct 17, 2023
dfcd4ad
lowercase resourceItem before rbac enforcing
Ashish-devtron Oct 17, 2023
38485ee
lowercase resourceItem before rbac enforcing
Ashish-devtron Oct 17, 2023
ea444f7
remove multi lowercase
Ashish-devtron Oct 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions pkg/user/casbin/rbac.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,8 +115,7 @@ func (e *EnforcerImpl) Enforce(token string, resource string, action string, res
}

func (e *EnforcerImpl) EnforceByEmail(emailId string, resource string, action string, resourceItem string) bool {
allowed := e.enforceByEmail(emailId, resource, action, resourceItem)
return allowed
return e.enforceByEmail(emailId, resource, action, strings.ToLower(resourceItem))
}

func (e *EnforcerImpl) ReloadPolicy() error {
Expand Down Expand Up @@ -167,6 +166,10 @@ func (e *EnforcerImpl) EnforceByEmailInBatch(emailId string, resource string, ac
batchRequestLock.Lock()
defer batchRequestLock.Unlock()

for index, val := range vals {
vals[index] = strings.ToLower(val)
}

var metrics = make(map[int]int64)
result, notFoundItemList := e.batchEnforceFromCache(emailId, resource, action, vals)
if len(result) > 0 {
Expand Down
93 changes: 46 additions & 47 deletions util/rbac/EnforcerUtil.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ import (
"github.com/devtron-labs/devtron/pkg/user/casbin"
"github.com/go-pg/pg"
"go.uber.org/zap"
"strings"
)

type EnforcerUtil interface {
Expand Down Expand Up @@ -115,7 +114,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsByEnvIdsAndAppId(envIds []int, appId

for _, env := range envs {
if _, ok := objects[env.Id]; !ok {
objects[env.Id] = fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
objects[env.Id] = fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
envObjectToName[objects[env.Id]] = env.Name
}
}
Expand All @@ -131,7 +130,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsByAppIds(appIds []int) map[int]string
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -140,17 +139,17 @@ func (impl EnforcerUtilImpl) GetRbacObjectsByAppIds(appIds []int) map[int]string
func (impl EnforcerUtilImpl) GetAppRBACName(appName string) string {
application, err := impl.appRepo.FindAppAndProjectByAppName(appName)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", application.Team.Name, appName)
}

func (impl EnforcerUtilImpl) GetProjectAdminRBACNameBYAppName(appName string) string {
application, err := impl.appRepo.FindAppAndProjectByAppName(appName)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), "*")
return fmt.Sprintf("%s/%s", application.Team.Name, "*")
}

func (impl EnforcerUtilImpl) GetRbacObjectsForAllApps() map[int]string {
Expand All @@ -161,7 +160,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllApps() map[int]string {
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -175,7 +174,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsWithTeamID(teamID int) map[
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -186,15 +185,15 @@ func (impl EnforcerUtilImpl) GetAppRBACNameByAppId(appId int) string {
if err != nil {
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", application.Team.Name, application.AppName)
}

func (impl EnforcerUtilImpl) GetAppRBACByAppNameAndEnvId(appName string, envId int) string {
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetAppRBACByAppIdAndPipelineId(appId int, pipelineId int) string {
Expand All @@ -204,13 +203,13 @@ func (impl EnforcerUtilImpl) GetAppRBACByAppIdAndPipelineId(appId int, pipelineI
}
pipeline, err := impl.pipelineRepository.FindById(pipelineId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", "", application.AppName)
}
env, err := impl.environmentRepository.FindById(pipeline.EnvironmentId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", "", application.AppName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, application.AppName)
}

func (impl EnforcerUtilImpl) GetEnvRBACNameByAppId(appId int, envId int) string {
Expand All @@ -221,9 +220,9 @@ func (impl EnforcerUtilImpl) GetEnvRBACNameByAppId(appId int, envId int) string
var appName = application.AppName
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetTeamEnvRBACNameByAppId(appId int, envId int) string {
Expand All @@ -235,9 +234,9 @@ func (impl EnforcerUtilImpl) GetTeamEnvRBACNameByAppId(appId int, envId int) str
var teamName = application.Team.Name
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(teamName), "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s/%s", teamName, "", appName)
}
return fmt.Sprintf("%s/%s/%s", strings.ToLower(teamName), strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s/%s", teamName, env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetTeamRBACByCiPipelineId(pipelineId int) string {
Expand Down Expand Up @@ -276,9 +275,9 @@ func (impl EnforcerUtilImpl) GetEnvRBACNameByCiPipelineIdAndEnvId(ciPipelineId i
appName := application.AppName
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetEnvRBACNameByCdPipelineIdAndEnvId(cdPipelineId int) string {
Expand All @@ -287,7 +286,7 @@ func (impl EnforcerUtilImpl) GetEnvRBACNameByCdPipelineIdAndEnvId(cdPipelineId i
impl.logger.Error(err)
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
return fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
}

func (impl EnforcerUtilImpl) GetTeamRbacObjectByCiPipelineId(ciPipelineId int) string {
Expand All @@ -299,7 +298,7 @@ func (impl EnforcerUtilImpl) GetTeamRbacObjectByCiPipelineId(ciPipelineId int) s
if err != nil {
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(ciPipeline.App.AppName))
return fmt.Sprintf("%s/%s", application.Team.Name, ciPipeline.App.AppName)
}

func (impl EnforcerUtilImpl) GetTeamAndEnvironmentRbacObjectByCDPipelineId(pipelineId int) (string, string) {
Expand All @@ -313,8 +312,8 @@ func (impl EnforcerUtilImpl) GetTeamAndEnvironmentRbacObjectByCDPipelineId(pipel
impl.logger.Errorw("error on fetching data for rbac object", "err", err)
return "", ""
}
teamRbac := fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(pipeline.App.AppName))
envRbac := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
teamRbac := fmt.Sprintf("%s/%s", application.Team.Name, pipeline.App.AppName)
envRbac := fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
return teamRbac, envRbac
}

Expand All @@ -328,7 +327,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsAndEnvironments() (map[int]
}
for _, item := range apps {
if _, ok := appObjects[item.Id]; !ok {
appObjects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
appObjects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}

Expand All @@ -341,7 +340,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsAndEnvironments() (map[int]
for _, app := range apps {
key := fmt.Sprintf("%d-%d", env.Id, app.Id)
if _, ok := envObjects[key]; !ok {
envObjects[key] = fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(app.AppName))
envObjects[key] = fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, app.AppName)
}
}
}
Expand Down Expand Up @@ -381,11 +380,11 @@ func (impl EnforcerUtilImpl) GetHelmObject(appId int, envId int) (string, string
}*/

if environmentIdentifier2 == "" {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)), ""
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName), ""
}

return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)),
fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier2, strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName),
fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier2, application.AppName)
}

func (impl EnforcerUtilImpl) GetHelmObjectByAppNameAndEnvId(appName string, envId int) (string, string) {
Expand All @@ -412,16 +411,16 @@ func (impl EnforcerUtilImpl) GetHelmObjectByAppNameAndEnvId(appName string, envI
}
}
if environmentIdentifier2 == "" {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)), ""
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName), ""
}

//TODO - FIX required for futuristic permission for cluster__* all environment for migrated environment identifier only
/*//here cluster, env, namespace must not have double underscore in names, as we are using that for separator.
if !strings.HasPrefix(env.EnvironmentIdentifier, fmt.Sprintf("%s__", env.Cluster.ClusterName)) {
environmentIdentifier = fmt.Sprintf("%s__%s", env.Cluster.ClusterName, env.EnvironmentIdentifier)
}*/
return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)),
fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier2, strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName),
fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier2, application.AppName)
}

func (impl EnforcerUtilImpl) GetHelmObjectByProjectIdAndEnvId(teamId int, envId int) (string, string) {
Expand Down Expand Up @@ -452,16 +451,16 @@ func (impl EnforcerUtilImpl) GetHelmObjectByProjectIdAndEnvId(teamId int, envId
}

if environmentIdentifier2 == "" {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(team.Name), environmentIdentifier, "*"), ""
return fmt.Sprintf("%s/%s/%s", team.Name, environmentIdentifier, "*"), ""
}

//TODO - FIX required for futuristic permission for cluster__* all environment for migrated environment identifier only
/*//here cluster, env, namespace must not have double underscore in names, as we are using that for separator.
if !strings.HasPrefix(env.EnvironmentIdentifier, fmt.Sprintf("%s__", env.Cluster.ClusterName)) {
environmentIdentifier = fmt.Sprintf("%s__%s", env.Cluster.ClusterName, env.EnvironmentIdentifier)
}*/
return fmt.Sprintf("%s/%s/%s", strings.ToLower(team.Name), environmentIdentifier, "*"),
fmt.Sprintf("%s/%s/%s", strings.ToLower(team.Name), environmentIdentifier2, "*")
return fmt.Sprintf("%s/%s/%s", team.Name, environmentIdentifier, "*"),
fmt.Sprintf("%s/%s/%s", team.Name, environmentIdentifier2, "*")
}

func (impl EnforcerUtilImpl) GetAppRBACNameByTeamIdAndAppId(teamId int, appId int) string {
Expand All @@ -475,7 +474,7 @@ func (impl EnforcerUtilImpl) GetAppRBACNameByTeamIdAndAppId(teamId int, appId in
impl.logger.Errorw("error on fetching data for rbac object", "err", err)
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(team.Name), strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", team.Name, application.AppName)
}

func (impl EnforcerUtilImpl) GetRBACNameForClusterEntity(clusterName string, resourceIdentifier k8s.ResourceIdentifier) (resourceName, objectName string) {
Expand Down Expand Up @@ -504,7 +503,7 @@ func (impl EnforcerUtilImpl) GetAppObjectByCiPipelineIds(ciPipelineIds []int) ma
}
for _, pipeline := range models {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.App.Team.Name), strings.ToLower(pipeline.App.AppName))
appObject := fmt.Sprintf("%s/%s", pipeline.App.Team.Name, pipeline.App.AppName)
objects[pipeline.Id] = appObject
}
}
Expand All @@ -520,8 +519,8 @@ func (impl EnforcerUtilImpl) GetAppAndEnvObjectByPipelineIds(cdPipelineIds []int
}
for _, pipeline := range models {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.App.Team.Name), strings.ToLower(pipeline.App.AppName))
envObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
appObject := fmt.Sprintf("%s/%s", pipeline.App.Team.Name, pipeline.App.AppName)
envObject := fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
objects[pipeline.Id] = []string{appObject, envObject}
}
}
Expand All @@ -536,7 +535,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsWithMatchingAppName(appName
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -559,8 +558,8 @@ func (impl EnforcerUtilImpl) GetAppAndEnvObjectByPipeline(cdPipelines []*bean.CD
}
for _, pipeline := range cdPipelines {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(teamMap[pipeline.TeamId]), strings.ToLower(pipeline.AppName))
envObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.EnvironmentIdentifier), strings.ToLower(pipeline.AppName))
appObject := fmt.Sprintf("%s/%s", teamMap[pipeline.TeamId], pipeline.AppName)
envObject := fmt.Sprintf("%s/%s", pipeline.EnvironmentIdentifier, pipeline.AppName)
objects[pipeline.Id] = []string{appObject, envObject}
}
}
Expand All @@ -586,8 +585,8 @@ func (impl EnforcerUtilImpl) GetAppAndEnvObjectByDbPipeline(cdPipelines []*pipel
}
for _, pipeline := range cdPipelines {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(teamMap[pipeline.App.TeamId]), strings.ToLower(pipeline.App.AppName))
envObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
appObject := fmt.Sprintf("%s/%s", teamMap[pipeline.App.TeamId], pipeline.App.AppName)
envObject := fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
objects[pipeline.Id] = []string{appObject, envObject}
}
}
Expand All @@ -601,11 +600,11 @@ func (impl EnforcerUtilImpl) GetAllActiveTeamNames() ([]string, error) {
return nil, err
}
for i, teamName := range teamNames {
teamNames[i] = strings.ToLower(teamName)
teamNames[i] = teamName
}
return teamNames, nil
}

func (impl EnforcerUtilImpl) GetAppRBACNameByAppAndProjectName(projectName, appName string) string {
return fmt.Sprintf("%s/%s", strings.ToLower(projectName), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", projectName, appName)
}
Loading
Loading