Merge branch 'main' into maintaining_audit_logs

Author: prakash100198

internal/sql/repository/security/CvePolicyControle.go

@@ -46,10 +46,11 @@ const (
 	Inherit PolicyAction = iota
 	Allow
 	Block
+	Blockiffixed
 )
 
 func (d PolicyAction) String() string {
-	return [...]string{"inherit", "allow", "block"}[d]
+	return [...]string{"inherit", "allow", "block", "blockiffixed"}[d]
 }
 
 // ------------------
@@ -246,23 +247,23 @@ func (impl *CvePolicyRepositoryImpl) GetBlockedCVEList(cves []*CveStore, cluster
 	if err != nil {
 		return nil, err
 	}
-	blockedCve := impl.enforceCvePolicy(cves, cvePolicy, severityPolicy)
+	blockedCve := EnforceCvePolicy(cves, cvePolicy, severityPolicy)
 	return blockedCve, nil
 }
 
-func (impl *CvePolicyRepositoryImpl) enforceCvePolicy(cves []*CveStore, cvePolicy map[string]*CvePolicy, severityPolicy map[Severity]*CvePolicy) (blockedCVE []*CveStore) {
+func EnforceCvePolicy(cves []*CveStore, cvePolicy map[string]*CvePolicy, severityPolicy map[Severity]*CvePolicy) (blockedCVE []*CveStore) {
 
 	for _, cve := range cves {
 		if policy, ok := cvePolicy[cve.Name]; ok {
 			if policy.Action == Allow {
 				continue
-			} else {
+			} else if (policy.Action == Block) || (policy.Action == Blockiffixed && cve.FixedVersion != "") {
 				blockedCVE = append(blockedCVE, cve)
 			}
 		} else {
 			if severityPolicy[cve.Severity] != nil && severityPolicy[cve.Severity].Action == Allow {
 				continue
-			} else {
+			} else if severityPolicy[cve.Severity] != nil && (severityPolicy[cve.Severity].Action == Block || (severityPolicy[cve.Severity].Action == Blockiffixed && cve.FixedVersion != "")) {
 				blockedCVE = append(blockedCVE, cve)
 			}
 		}
@@ -346,6 +347,7 @@ func (impl *CvePolicyRepositoryImpl) getHighestPolicy(allPolicies map[string][]*
 	}
 	return applicablePolicies
 }
+
 func (impl *CvePolicyRepositoryImpl) getHighestPolicyS(allPolicies map[Severity][]*CvePolicy) map[Severity]*CvePolicy {
 	applicablePolicies := make(map[Severity]*CvePolicy)
 	for key, policies := range allPolicies {

internal/sql/repository/security/CvePolicyControle_test.go

@@ -0,0 +1,179 @@
+package security
+
+import (
+	"github.com/go-pg/pg"
+	"reflect"
+	"testing"
+)
+
+func TestCvePolicyRepositoryImpl_enforceCvePolicy(t *testing.T) {
+	type fields struct {
+		dbConnection *pg.DB
+	}
+	type args struct {
+		cves           []*CveStore
+		cvePolicy      map[string]*CvePolicy
+		severityPolicy map[Severity]*CvePolicy
+	}
+	tests := []struct {
+		name           string
+		fields         fields
+		args           args
+		wantBlockedCVE []*CveStore
+	}{
+		// TODO: Add test cases.
+		{
+			name: "Test 1",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name: "abc",
+					},
+					{
+						Severity: Low,
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Allow,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{
+					Low: {
+						Action: Allow,
+					},
+				},
+			},
+			wantBlockedCVE: nil,
+		},
+		{
+			name: "Test 2",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name: "abc",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Block,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Name: "abc",
+				},
+			},
+		},
+		{
+			name: "Test 3",
+			args: args{
+				cves: []*CveStore{
+					{
+						Severity: High,
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{},
+				severityPolicy: map[Severity]*CvePolicy{
+					High: {
+						Action: Block,
+					},
+				},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Severity: High,
+				},
+			},
+		},
+		{
+			name: "Test 4",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name:         "abc",
+						FixedVersion: "1.0.0",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Blockiffixed,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Name:         "abc",
+					FixedVersion: "1.0.0",
+				},
+			},
+		},
+		{
+			name: "Test 5",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name: "abc",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Blockiffixed,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{},
+			},
+			wantBlockedCVE: nil,
+		},
+		{
+			name: "Test 6",
+			args: args{
+				cves: []*CveStore{
+					{
+						Severity:     High,
+						FixedVersion: "1.0.0",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{},
+				severityPolicy: map[Severity]*CvePolicy{
+					High: {
+						Action: Blockiffixed,
+					},
+				},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Severity:     High,
+					FixedVersion: "1.0.0",
+				},
+			},
+		},
+		{
+			name: "Test 7",
+			args: args{
+				cves: []*CveStore{
+					{
+						Severity: High,
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{},
+				severityPolicy: map[Severity]*CvePolicy{
+					High: {
+						Action: Blockiffixed,
+					},
+				},
+			},
+			wantBlockedCVE: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotBlockedCVE := EnforceCvePolicy(tt.args.cves, tt.args.cvePolicy, tt.args.severityPolicy); !reflect.DeepEqual(gotBlockedCVE, tt.wantBlockedCVE) {
+				t.Errorf("EnforceCvePolicy() = %v, want %v", gotBlockedCVE, tt.wantBlockedCVE)
+			}
+		})
+	}
+}

pkg/pipeline/CdConfig.go

@@ -19,11 +19,10 @@ package pipeline
 
 import (
 	"fmt"
+	"github.com/caarlos0/env"
 	blob_storage "github.com/devtron-labs/common-lib/blob-storage"
 	"github.com/devtron-labs/devtron/internal/sql/repository/pipelineConfig"
 	"strings"
-
-	"github.com/caarlos0/env"
 )
 
 type CdConfig struct {
@@ -32,12 +31,16 @@ type CdConfig struct {
 	ReqCpu                           string   `env:"CD_REQ_CI_CPU" envDefault:"0.5"`
 	ReqMem                           string   `env:"CD_REQ_CI_MEM" envDefault:"3G"`
 	TaintKey                         string   `env:"CD_NODE_TAINTS_KEY" envDefault:"dedicated"`
+	ExternalTaintKey                 string   `env:"EXTERNAL_CD_NODE_TAINTS_KEY" envDefault:"dedicated"`
+	UseExternalNode                  bool     `env:"USE_EXTERNAL_NODE" envDefault:"false"`
 	WorkflowServiceAccount           string   `env:"CD_WORKFLOW_SERVICE_ACCOUNT" envDefault:"cd-runner"`
 	DefaultBuildLogsKeyPrefix        string   `env:"DEFAULT_BUILD_LOGS_KEY_PREFIX" `
 	DefaultArtifactKeyPrefix         string   `env:"DEFAULT_CD_ARTIFACT_KEY_LOCATION" `
 	TaintValue                       string   `env:"CD_NODE_TAINTS_VALUE" envDefault:"ci"`
+	ExternalTaintValue               string   `env:"EXTERNAL_CD_NODE_TAINTS_VALUE" envDefault:"ci"`
 	DefaultBuildLogsBucket           string   `env:"DEFAULT_BUILD_LOGS_BUCKET" `
 	NodeLabelSelector                []string `env:"CD_NODE_LABEL_SELECTOR"`
+	ExternalNodeLabelSelector        []string `env:"EXTERNAL_CD_NODE_LABEL_SELECTOR"`
 	CdArtifactLocationFormat         string   `env:"CD_ARTIFACT_LOCATION_FORMAT" envDefault:"%d/%d.zip"`
 	DefaultNamespace                 string   `env:"DEFAULT_CD_NAMESPACE"`
 	DefaultImage                     string   `env:"DEFAULT_CI_IMAGE"`
@@ -47,6 +50,7 @@ type CdConfig struct {
 	OrchestratorHost                 string   `env:"ORCH_HOST" envDefault:"http://devtroncd-orchestrator-service-prod.devtroncd/webhook/msg/nats"`
 	OrchestratorToken                string   `env:"ORCH_TOKEN" envDefault:""`
 	NodeLabel                        map[string]string
+	ExternalNodeLabel                map[string]string
 	CloudProvider                    blob_storage.BlobStorageType        `env:"BLOB_STORAGE_PROVIDER" envDefault:"S3"`
 	BlobStorageEnabled               bool                                `env:"BLOB_STORAGE_ENABLED" envDefault:"false"`
 	BlobStorageS3AccessKey           string                              `env:"BLOB_STORAGE_S3_ACCESS_KEY"`
@@ -74,17 +78,31 @@ type CdConfig struct {
 func GetCdConfig() (*CdConfig, error) {
 	cfg := &CdConfig{}
 	err := env.Parse(cfg)
-	cfg.NodeLabel = make(map[string]string)
-	for _, l := range cfg.NodeLabelSelector {
+	if err != nil {
+		return nil, err
+	}
+	cfg.NodeLabel, err = assignNodeLabelSelector(cfg.NodeLabelSelector)
+	if err != nil {
+		return nil, err
+	}
+	cfg.ExternalNodeLabel, err = assignNodeLabelSelector(cfg.ExternalNodeLabelSelector)
+	if err != nil {
+		return nil, err
+	}
+	return cfg, err
+}
+
+func assignNodeLabelSelector(labelSelector []string) (map[string]string, error) {
+	label := make(map[string]string)
+	for _, l := range labelSelector {
 		if l == "" {
 			continue
 		}
 		kv := strings.Split(l, "=")
 		if len(kv) != 2 {
 			return nil, fmt.Errorf("invalid ci node label selector %s, it must be in form key=value, key2=val2", kv)
 		}
-		cfg.NodeLabel[kv[0]] = kv[1]
+		label[kv[0]] = kv[1]
 	}
-
-	return cfg, err
+	return label, nil
 }

pkg/pipeline/CdWorkflowService.go

@@ -238,17 +238,28 @@ func (impl *CdWorkflowServiceImpl) SubmitWorkflow(workflowRequest *CdWorkflowReq
 	workflowTemplate.Secrets = workflowSecrets
 
 	workflowTemplate.ServiceAccountName = impl.cdConfig.WorkflowServiceAccount
-	workflowTemplate.NodeSelector = map[string]string{impl.cdConfig.TaintKey: impl.cdConfig.TaintValue}
-	workflowTemplate.Tolerations = []v12.Toleration{{Key: impl.cdConfig.TaintKey, Value: impl.cdConfig.TaintValue, Operator: v12.TolerationOpEqual, Effect: v12.TaintEffectNoSchedule}}
+	if workflowRequest.IsExtRun && impl.cdConfig.UseExternalNode {
+		if impl.cdConfig.ExternalTaintKey != "" {
+			workflowTemplate.NodeSelector = map[string]string{impl.cdConfig.ExternalTaintKey: impl.cdConfig.ExternalTaintValue}
+		}
+		workflowTemplate.Tolerations = []v12.Toleration{{Key: impl.cdConfig.ExternalTaintKey, Value: impl.cdConfig.ExternalTaintValue, Operator: v12.TolerationOpEqual, Effect: v12.TaintEffectNoSchedule}}
+		if len(impl.cdConfig.ExternalNodeLabel) > 0 {
+			workflowTemplate.NodeSelector = impl.cdConfig.ExternalNodeLabel
+		}
+	} else {
+		if impl.cdConfig.TaintKey != "" {
+			workflowTemplate.NodeSelector = map[string]string{impl.cdConfig.TaintKey: impl.cdConfig.TaintValue}
+		}
+		workflowTemplate.Tolerations = []v12.Toleration{{Key: impl.cdConfig.TaintKey, Value: impl.cdConfig.TaintValue, Operator: v12.TolerationOpEqual, Effect: v12.TaintEffectNoSchedule}}
+		if len(impl.cdConfig.NodeLabel) > 0 {
+			workflowTemplate.NodeSelector = impl.cdConfig.NodeLabel
+		}
+	}
 	workflowTemplate.Volumes = ExtractVolumesFromCmCs(workflowConfigMaps, workflowSecrets)
 	workflowTemplate.ArchiveLogs = storageConfigured
 	workflowTemplate.ArchiveLogs = workflowTemplate.ArchiveLogs && !ciCdTriggerEvent.CdRequest.InAppLoggingEnabled
 	workflowTemplate.RestartPolicy = v12.RestartPolicyNever
 
-	if len(impl.cdConfig.NodeLabel) > 0 {
-		workflowTemplate.NodeSelector = impl.cdConfig.NodeLabel
-	}
-
 	limitCpu := impl.cdConfig.LimitCpu
 	limitMem := impl.cdConfig.LimitMem
 	reqCpu := impl.cdConfig.ReqCpu