Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Helm Apps permissions do not allow Terminal or Logs view #4110

Merged
merged 13 commits into from
Oct 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions pkg/user/casbin/rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,8 +115,7 @@ func (e *EnforcerImpl) Enforce(token string, resource string, action string, res
}

func (e *EnforcerImpl) EnforceByEmail(emailId string, resource string, action string, resourceItem string) bool {
allowed := e.enforceByEmail(emailId, resource, action, resourceItem)
return allowed
return e.enforceByEmail(emailId, resource, action, strings.ToLower(resourceItem))
}

func (e *EnforcerImpl) ReloadPolicy() error {
Expand Down Expand Up @@ -167,6 +166,10 @@ func (e *EnforcerImpl) EnforceByEmailInBatch(emailId string, resource string, ac
batchRequestLock.Lock()
defer batchRequestLock.Unlock()

for index, val := range vals {
vals[index] = strings.ToLower(val)
}

var metrics = make(map[int]int64)
result, notFoundItemList := e.batchEnforceFromCache(emailId, resource, action, vals)
if len(result) > 0 {
Expand Down
93 changes: 46 additions & 47 deletions util/rbac/EnforcerUtil.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ import (
"github.com/devtron-labs/devtron/pkg/user/casbin"
"github.com/go-pg/pg"
"go.uber.org/zap"
"strings"
)

type EnforcerUtil interface {
Expand Down Expand Up @@ -115,7 +114,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsByEnvIdsAndAppId(envIds []int, appId

for _, env := range envs {
if _, ok := objects[env.Id]; !ok {
objects[env.Id] = fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
objects[env.Id] = fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
envObjectToName[objects[env.Id]] = env.Name
}
}
Expand All @@ -131,7 +130,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsByAppIds(appIds []int) map[int]string
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -140,17 +139,17 @@ func (impl EnforcerUtilImpl) GetRbacObjectsByAppIds(appIds []int) map[int]string
func (impl EnforcerUtilImpl) GetAppRBACName(appName string) string {
application, err := impl.appRepo.FindAppAndProjectByAppName(appName)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", application.Team.Name, appName)
}

func (impl EnforcerUtilImpl) GetProjectAdminRBACNameBYAppName(appName string) string {
application, err := impl.appRepo.FindAppAndProjectByAppName(appName)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), "*")
return fmt.Sprintf("%s/%s", application.Team.Name, "*")
}

func (impl EnforcerUtilImpl) GetRbacObjectsForAllApps() map[int]string {
Expand All @@ -161,7 +160,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllApps() map[int]string {
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -175,7 +174,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsWithTeamID(teamID int) map[
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -186,15 +185,15 @@ func (impl EnforcerUtilImpl) GetAppRBACNameByAppId(appId int) string {
if err != nil {
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", application.Team.Name, application.AppName)
}

func (impl EnforcerUtilImpl) GetAppRBACByAppNameAndEnvId(appName string, envId int) string {
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetAppRBACByAppIdAndPipelineId(appId int, pipelineId int) string {
Expand All @@ -204,13 +203,13 @@ func (impl EnforcerUtilImpl) GetAppRBACByAppIdAndPipelineId(appId int, pipelineI
}
pipeline, err := impl.pipelineRepository.FindById(pipelineId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", "", application.AppName)
}
env, err := impl.environmentRepository.FindById(pipeline.EnvironmentId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", "", application.AppName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, application.AppName)
}

func (impl EnforcerUtilImpl) GetEnvRBACNameByAppId(appId int, envId int) string {
Expand All @@ -221,9 +220,9 @@ func (impl EnforcerUtilImpl) GetEnvRBACNameByAppId(appId int, envId int) string
var appName = application.AppName
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetTeamEnvRBACNameByAppId(appId int, envId int) string {
Expand All @@ -235,9 +234,9 @@ func (impl EnforcerUtilImpl) GetTeamEnvRBACNameByAppId(appId int, envId int) str
var teamName = application.Team.Name
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(teamName), "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s/%s", teamName, "", appName)
}
return fmt.Sprintf("%s/%s/%s", strings.ToLower(teamName), strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s/%s", teamName, env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetTeamRBACByCiPipelineId(pipelineId int) string {
Expand Down Expand Up @@ -276,9 +275,9 @@ func (impl EnforcerUtilImpl) GetEnvRBACNameByCiPipelineIdAndEnvId(ciPipelineId i
appName := application.AppName
env, err := impl.environmentRepository.FindById(envId)
if err != nil {
return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
return fmt.Sprintf("%s/%s", "", appName)
}
return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, appName)
}

func (impl EnforcerUtilImpl) GetEnvRBACNameByCdPipelineIdAndEnvId(cdPipelineId int) string {
Expand All @@ -287,7 +286,7 @@ func (impl EnforcerUtilImpl) GetEnvRBACNameByCdPipelineIdAndEnvId(cdPipelineId i
impl.logger.Error(err)
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
return fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
}

func (impl EnforcerUtilImpl) GetTeamRbacObjectByCiPipelineId(ciPipelineId int) string {
Expand All @@ -299,7 +298,7 @@ func (impl EnforcerUtilImpl) GetTeamRbacObjectByCiPipelineId(ciPipelineId int) s
if err != nil {
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(ciPipeline.App.AppName))
return fmt.Sprintf("%s/%s", application.Team.Name, ciPipeline.App.AppName)
}

func (impl EnforcerUtilImpl) GetTeamAndEnvironmentRbacObjectByCDPipelineId(pipelineId int) (string, string) {
Expand All @@ -313,8 +312,8 @@ func (impl EnforcerUtilImpl) GetTeamAndEnvironmentRbacObjectByCDPipelineId(pipel
impl.logger.Errorw("error on fetching data for rbac object", "err", err)
return "", ""
}
teamRbac := fmt.Sprintf("%s/%s", strings.ToLower(application.Team.Name), strings.ToLower(pipeline.App.AppName))
envRbac := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
teamRbac := fmt.Sprintf("%s/%s", application.Team.Name, pipeline.App.AppName)
envRbac := fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
return teamRbac, envRbac
}

Expand All @@ -328,7 +327,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsAndEnvironments() (map[int]
}
for _, item := range apps {
if _, ok := appObjects[item.Id]; !ok {
appObjects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
appObjects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}

Expand All @@ -341,7 +340,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsAndEnvironments() (map[int]
for _, app := range apps {
key := fmt.Sprintf("%d-%d", env.Id, app.Id)
if _, ok := envObjects[key]; !ok {
envObjects[key] = fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(app.AppName))
envObjects[key] = fmt.Sprintf("%s/%s", env.EnvironmentIdentifier, app.AppName)
}
}
}
Expand Down Expand Up @@ -381,11 +380,11 @@ func (impl EnforcerUtilImpl) GetHelmObject(appId int, envId int) (string, string
}*/

if environmentIdentifier2 == "" {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)), ""
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName), ""
}

return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)),
fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier2, strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName),
fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier2, application.AppName)
}

func (impl EnforcerUtilImpl) GetHelmObjectByAppNameAndEnvId(appName string, envId int) (string, string) {
Expand All @@ -412,16 +411,16 @@ func (impl EnforcerUtilImpl) GetHelmObjectByAppNameAndEnvId(appName string, envI
}
}
if environmentIdentifier2 == "" {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)), ""
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName), ""
}

//TODO - FIX required for futuristic permission for cluster__* all environment for migrated environment identifier only
/*//here cluster, env, namespace must not have double underscore in names, as we are using that for separator.
if !strings.HasPrefix(env.EnvironmentIdentifier, fmt.Sprintf("%s__", env.Cluster.ClusterName)) {
environmentIdentifier = fmt.Sprintf("%s__%s", env.Cluster.ClusterName, env.EnvironmentIdentifier)
}*/
return fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier, strings.ToLower(application.AppName)),
fmt.Sprintf("%s/%s/%s", strings.ToLower(application.Team.Name), environmentIdentifier2, strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier, application.AppName),
fmt.Sprintf("%s/%s/%s", application.Team.Name, environmentIdentifier2, application.AppName)
}

func (impl EnforcerUtilImpl) GetHelmObjectByProjectIdAndEnvId(teamId int, envId int) (string, string) {
Expand Down Expand Up @@ -452,16 +451,16 @@ func (impl EnforcerUtilImpl) GetHelmObjectByProjectIdAndEnvId(teamId int, envId
}

if environmentIdentifier2 == "" {
return fmt.Sprintf("%s/%s/%s", strings.ToLower(team.Name), environmentIdentifier, "*"), ""
return fmt.Sprintf("%s/%s/%s", team.Name, environmentIdentifier, "*"), ""
}

//TODO - FIX required for futuristic permission for cluster__* all environment for migrated environment identifier only
/*//here cluster, env, namespace must not have double underscore in names, as we are using that for separator.
if !strings.HasPrefix(env.EnvironmentIdentifier, fmt.Sprintf("%s__", env.Cluster.ClusterName)) {
environmentIdentifier = fmt.Sprintf("%s__%s", env.Cluster.ClusterName, env.EnvironmentIdentifier)
}*/
return fmt.Sprintf("%s/%s/%s", strings.ToLower(team.Name), environmentIdentifier, "*"),
fmt.Sprintf("%s/%s/%s", strings.ToLower(team.Name), environmentIdentifier2, "*")
return fmt.Sprintf("%s/%s/%s", team.Name, environmentIdentifier, "*"),
fmt.Sprintf("%s/%s/%s", team.Name, environmentIdentifier2, "*")
}

func (impl EnforcerUtilImpl) GetAppRBACNameByTeamIdAndAppId(teamId int, appId int) string {
Expand All @@ -475,7 +474,7 @@ func (impl EnforcerUtilImpl) GetAppRBACNameByTeamIdAndAppId(teamId int, appId in
impl.logger.Errorw("error on fetching data for rbac object", "err", err)
return fmt.Sprintf("%s/%s", "", "")
}
return fmt.Sprintf("%s/%s", strings.ToLower(team.Name), strings.ToLower(application.AppName))
return fmt.Sprintf("%s/%s", team.Name, application.AppName)
}

func (impl EnforcerUtilImpl) GetRBACNameForClusterEntity(clusterName string, resourceIdentifier k8s.ResourceIdentifier) (resourceName, objectName string) {
Expand Down Expand Up @@ -504,7 +503,7 @@ func (impl EnforcerUtilImpl) GetAppObjectByCiPipelineIds(ciPipelineIds []int) ma
}
for _, pipeline := range models {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.App.Team.Name), strings.ToLower(pipeline.App.AppName))
appObject := fmt.Sprintf("%s/%s", pipeline.App.Team.Name, pipeline.App.AppName)
objects[pipeline.Id] = appObject
}
}
Expand All @@ -520,8 +519,8 @@ func (impl EnforcerUtilImpl) GetAppAndEnvObjectByPipelineIds(cdPipelineIds []int
}
for _, pipeline := range models {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.App.Team.Name), strings.ToLower(pipeline.App.AppName))
envObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
appObject := fmt.Sprintf("%s/%s", pipeline.App.Team.Name, pipeline.App.AppName)
envObject := fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
objects[pipeline.Id] = []string{appObject, envObject}
}
}
Expand All @@ -536,7 +535,7 @@ func (impl EnforcerUtilImpl) GetRbacObjectsForAllAppsWithMatchingAppName(appName
}
for _, item := range result {
if _, ok := objects[item.Id]; !ok {
objects[item.Id] = fmt.Sprintf("%s/%s", strings.ToLower(item.Team.Name), strings.ToLower(item.AppName))
objects[item.Id] = fmt.Sprintf("%s/%s", item.Team.Name, item.AppName)
}
}
return objects
Expand All @@ -559,8 +558,8 @@ func (impl EnforcerUtilImpl) GetAppAndEnvObjectByPipeline(cdPipelines []*bean.CD
}
for _, pipeline := range cdPipelines {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(teamMap[pipeline.TeamId]), strings.ToLower(pipeline.AppName))
envObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.EnvironmentIdentifier), strings.ToLower(pipeline.AppName))
appObject := fmt.Sprintf("%s/%s", teamMap[pipeline.TeamId], pipeline.AppName)
envObject := fmt.Sprintf("%s/%s", pipeline.EnvironmentIdentifier, pipeline.AppName)
objects[pipeline.Id] = []string{appObject, envObject}
}
}
Expand All @@ -586,8 +585,8 @@ func (impl EnforcerUtilImpl) GetAppAndEnvObjectByDbPipeline(cdPipelines []*pipel
}
for _, pipeline := range cdPipelines {
if _, ok := objects[pipeline.Id]; !ok {
appObject := fmt.Sprintf("%s/%s", strings.ToLower(teamMap[pipeline.App.TeamId]), strings.ToLower(pipeline.App.AppName))
envObject := fmt.Sprintf("%s/%s", strings.ToLower(pipeline.Environment.EnvironmentIdentifier), strings.ToLower(pipeline.App.AppName))
appObject := fmt.Sprintf("%s/%s", teamMap[pipeline.App.TeamId], pipeline.App.AppName)
envObject := fmt.Sprintf("%s/%s", pipeline.Environment.EnvironmentIdentifier, pipeline.App.AppName)
objects[pipeline.Id] = []string{appObject, envObject}
}
}
Expand All @@ -601,11 +600,11 @@ func (impl EnforcerUtilImpl) GetAllActiveTeamNames() ([]string, error) {
return nil, err
}
for i, teamName := range teamNames {
teamNames[i] = strings.ToLower(teamName)
teamNames[i] = teamName
}
return teamNames, nil
}

func (impl EnforcerUtilImpl) GetAppRBACNameByAppAndProjectName(projectName, appName string) string {
return fmt.Sprintf("%s/%s", strings.ToLower(projectName), strings.ToLower(appName))
return fmt.Sprintf("%s/%s", projectName, appName)
}
Loading
Loading