Merge branch 'develop' into audit-trigger

Author: prakash100198

api/restHandler/ImageScanRestHandler.go

@@ -23,6 +23,7 @@ import (
 	"github.com/devtron-labs/devtron/pkg/policyGovernance/security/imageScanning"
 	securityBean "github.com/devtron-labs/devtron/pkg/policyGovernance/security/imageScanning/bean"
 	security2 "github.com/devtron-labs/devtron/pkg/policyGovernance/security/imageScanning/repository"
+	"github.com/devtron-labs/devtron/util/sliceUtil"
 	"net/http"
 	"strconv"
 
@@ -104,6 +105,45 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 		return
 	}
 	token := r.Header.Get("token")
+	isSuperAdmin := false
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isSuperAdmin = true
+	}
+	var ids []int
+	if isSuperAdmin {
+		ids = sliceUtil.NewSliceFromFuncExec(filteredDeployInfoList, func(item *security2.ImageScanDeployInfo) int {
+			return item.Id
+		})
+	} else {
+		ids, err = impl.getAuthorisedImageScanDeployInfoIds(token, filteredDeployInfoList)
+		if err != nil {
+			impl.logger.Errorw("error in getting authorised image scan deploy info ids", "err", err)
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			return
+		}
+	}
+
+	if len(ids) == 0 {
+		responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+		common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+		return
+	}
+
+	results, err := impl.imageScanService.FetchScanExecutionListing(request, ids)
+	if err != nil {
+		impl.logger.Errorw("service err, ScanExecutionList", "err", err, "payload", request)
+		if util.IsErrNoRows(err) {
+			responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+			common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+		} else {
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		}
+		return
+	}
+	common.WriteJsonResp(w, err, results, http.StatusOK)
+}
+
+func (impl ImageScanRestHandlerImpl) getAuthorisedImageScanDeployInfoIds(token string, filteredDeployInfoList []*security2.ImageScanDeployInfo) ([]int, error) {
 	var ids []int
 	var appRBACObjects []string
 	var envRBACObjects []string
@@ -119,8 +159,8 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 
 	appObjects, envObjects, appIdtoApp, envIdToEnv, err := impl.enforcerUtil.GetAppAndEnvRBACNamesByAppAndEnvIds(IdToAppEnvPairs)
 	if err != nil {
-		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-		return
+		impl.logger.Errorw("error in getting app and env rbac objects", "err", err)
+		return nil, err
 	}
 
 	for _, item := range filteredDeployInfoList {
@@ -136,8 +176,8 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 		} else if item.ScanObjectMetaId > 0 && (item.ObjectType == ObjectTypePod) {
 			environments, err := impl.environmentService.GetByClusterId(item.ClusterId)
 			if err != nil {
-				common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-				return
+				impl.logger.Errorw("error in getting environments for cluster", "clusterId", item.ClusterId, "err", err)
+				return nil, err
 			}
 			for _, environment := range environments {
 				podObject := environment.EnvironmentIdentifier
@@ -163,25 +203,7 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 			}
 		}
 	}
-
-	if ids == nil || len(ids) == 0 {
-		responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
-		common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
-		return
-	}
-
-	results, err := impl.imageScanService.FetchScanExecutionListing(request, ids)
-	if err != nil {
-		impl.logger.Errorw("service err, ScanExecutionList", "err", err, "payload", request)
-		if util.IsErrNoRows(err) {
-			responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
-			common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
-		} else {
-			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-		}
-		return
-	}
-	common.WriteJsonResp(w, err, results, http.StatusOK)
+	return ids, nil
 }
 
 func (impl ImageScanRestHandlerImpl) FetchExecutionDetail(w http.ResponseWriter, r *http.Request) {

internal/sql/repository/pipelineConfig/CdWorfkflowRepository.go

@@ -774,31 +774,41 @@ func (impl *CdWorkflowRepositoryImpl) FindDeployedCdWorkflowRunnersByPipelineId(
 }
 
 func (impl *CdWorkflowRepositoryImpl) FindLatestCdWorkflowRunnerArtifactMetadataForAppAndEnvIds(appVsEnvIdMap map[int][]int, runnerType apiBean.WorkflowType) ([]*cdWorkflow.CdWorkflowRunnerArtifactMetadata, error) {
-	var allRunners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
+	var runners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
+
+	// Prepare the (app_id, env_id) tuple list for the query
+	tupleList := make([]interface{}, 0, len(appVsEnvIdMap))
+	for appId, envIds := range appVsEnvIdMap {
+		for _, envId := range envIds {
+			tupleList = append(tupleList, []interface{}{appId, envId})
+		}
+	}
+	if len(tupleList) == 0 {
+		return nil, nil
+	}
+
 	query := `
 WITH RankedData AS (
     SELECT 
         p.app_id AS "app_id",
         p.environment_id AS "env_id",
-		p.deleted AS "deleted",
+        p.deleted AS "deleted",
         wf.ci_artifact_id AS "ci_artifact_id",
         ci_artifact.parent_ci_artifact AS "parent_ci_artifact",
         ci_artifact.scanned AS "scanned",
         ROW_NUMBER() OVER (PARTITION BY p.app_id, p.environment_id ORDER BY cd_workflow_runner.id DESC) AS rn
     FROM cd_workflow_runner INNER JOIN cd_workflow wf ON wf.id = cd_workflow_runner.cd_workflow_id
     INNER JOIN pipeline p ON p.id = wf.pipeline_id
     INNER JOIN ci_artifact ON ci_artifact.id = wf.ci_artifact_id
-    WHERE cd_workflow_runner.workflow_type = ? AND p.app_id = ? AND p.environment_id IN (?))
+    WHERE cd_workflow_runner.workflow_type = ? 
+      AND (p.app_id, p.environment_id) IN ( ? )
+)
 SELECT "app_id","env_id","ci_artifact_id","parent_ci_artifact","scanned" FROM RankedData WHERE rn = 1 and deleted= false;
 `
-	for appId, envIds := range appVsEnvIdMap {
-		var runners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
-		_, err := impl.dbConnection.Query(&runners, query, runnerType, appId, pg.In(envIds))
-		if err != nil {
-			impl.logger.Errorw("error in getting cdWfrs by appId and envIds and runner type", "appVsEnvIdMap", appVsEnvIdMap, "err", err)
-			return nil, err
-		}
-		allRunners = append(allRunners, runners...)
+	_, err := impl.dbConnection.Query(&runners, query, runnerType, pg.In(tupleList))
+	if err != nil {
+		impl.logger.Errorw("error in getting cdWfrs by appId and envIds and runner type", "appVsEnvIdMap", appVsEnvIdMap, "err", err)
+		return nil, err
 	}
-	return allRunners, nil
+	return runners, nil
 }

pkg/pipeline/PipelineStageService.go

@@ -25,6 +25,7 @@ import (
 	"github.com/devtron-labs/devtron/internal/util"
 	"github.com/devtron-labs/devtron/pkg/pipeline/adapter"
 	"github.com/devtron-labs/devtron/pkg/pipeline/bean"
+	"github.com/devtron-labs/devtron/pkg/pipeline/helper"
 	"github.com/devtron-labs/devtron/pkg/pipeline/repository"
 	"github.com/devtron-labs/devtron/pkg/plugin"
 	repository2 "github.com/devtron-labs/devtron/pkg/plugin/repository"
@@ -679,14 +680,15 @@ func (impl *PipelineStageServiceImpl) CreateStageSteps(steps []*bean.PipelineSta
 				impl.logger.Errorw("error in creating script and mapping for inline step", "err", err, "inlineStepDetail", inlineStepDetail)
 				return err
 			}
+
 			inlineStep := &repository.PipelineStageStep{
 				PipelineStageId:     stageId,
 				Name:                step.Name,
 				Description:         step.Description,
 				Index:               step.Index,
 				StepType:            step.StepType,
 				ScriptId:            scriptEntryId,
-				OutputDirectoryPath: step.OutputDirectoryPath,
+				OutputDirectoryPath: helper.FilterReservedPathFromOutputDirPath(step.OutputDirectoryPath), // TODO: silently filtering reserved paths, not throwing error as of now since this flow is not in tx
 				DependentOnStep:     dependentOnStep,
 				Deleted:             false,
 				AuditLog: sql.AuditLog{
@@ -1205,7 +1207,7 @@ func (impl *PipelineStageServiceImpl) UpdateStageStepsWithTx(steps []*bean.Pipel
 			Description:         step.Description,
 			Index:               step.Index,
 			StepType:            step.StepType,
-			OutputDirectoryPath: step.OutputDirectoryPath,
+			OutputDirectoryPath: helper.FilterReservedPathFromOutputDirPath(step.OutputDirectoryPath),
 			DependentOnStep:     dependentOnStep,
 			Deleted:             false,
 			AuditLog: sql.AuditLog{

pkg/pipeline/constants/constants.go

@@ -40,3 +40,4 @@ const Starting = "Starting"
 const TERMINATE_MESSAGE = "workflow shutdown with strategy: Terminate"
 const FORCE_ABORT_MESSAGE_AFTER_STARTING_STAGE = "workflow shutdown with strategy: Force Abort"
 const POD_TIMEOUT_MESSAGE = "Pod was active on the node longer than the specified deadline"
+const CiRunnerWorkingDir = "/devtroncd"

pkg/pipeline/helper/helper.go

@@ -0,0 +1,16 @@
+package helper
+
+import (
+	"github.com/devtron-labs/devtron/pkg/pipeline/constants"
+	"strings"
+)
+
+func FilterReservedPathFromOutputDirPath(outputDirectoryPath []string) []string {
+	var newOutputDirPath []string
+	for _, path := range outputDirectoryPath {
+		if !strings.HasPrefix(path, constants.CiRunnerWorkingDir) {
+			newOutputDirPath = append(newOutputDirPath, path)
+		}
+	}
+	return newOutputDirPath
+}