Oss sync (#114)

* handled nil pointer in imagePullSecret service when asserting k8s error type (#3208)

* fix: rbac optimisation for creation of policies for devtron app, helm app and cluster (#2948)

* change1

* "RBAC Refactoring and Policy Creation Optimisation"

* "Removing ClusterType"

* "ReFactoring the changes"

* removed redundant method

* "Changes After Reviews"

* "Changes After Reviews 2"

* "Changes After Reviews 3"

* "Changes After Reviews 4"

* "Changes After Reviews 5"

* "Changes After Reviews 6"

* "Changes After Reviews 6"

* "Changes based on entity"

* Code Cleaning

* Code change 8

* Code change 9

* Code change 9

* Code change 10

* Code change 11

* Code change 12

* Code change 13

* fixed transaction error for creating roles

* refactoring - 1

* refactoring

* Changes after Resolving conflicts

* Changes after Resolving conflicts 2

* Changes after Resolving conflicts 3

* Changes after Resolving access_type to accessType and queries

* Final changes

* Rbac-Optimimisation Change

* Rbac-Optimimisation Final Change

* refactoring

* Fixing Legacy Bug

* Fixing Visiblity issues all pods

* Merge with main

* Intialisation with capacity and adding logs

* Intialisation with capacity and adding logs

* Refactoring the changes

* Adding logs

* Adding logs 1

* Updating the audit logs for create Role

* Handling from code instead of script

* Merge Main

* Deleting Commented Code and adding role group view

* Fixing issues caught in Dev-Testing

* Removing script queries

* Fixing Issues of entity empty

* Dev-Testing Changes

* Final Changes

* Reducing duplication

* Reducing duplication

* Adding audit logs for superAdmin for user role mappings

* Visibility of permissions

* Visibility of permissions for devtron-apps

* Fixing Legacy issue for deleting roleGroup permissions

* deleting group and role mapping from casbin

* updated sql script no.

---------

Co-authored-by: kartik-579 <[email protected]>

* fix: user/role group sql lock fix (#3206)

* change1

* "RBAC Refactoring and Policy Creation Optimisation"

* "Removing ClusterType"

* "ReFactoring the changes"

* removed redundant method

* "Changes After Reviews"

* "Changes After Reviews 2"

* "Changes After Reviews 3"

* "Changes After Reviews 4"

* "Changes After Reviews 5"

* "Changes After Reviews 6"

* "Changes After Reviews 6"

* "Changes based on entity"

* Code Cleaning

* Code change 8

* Code change 9

* Code change 9

* Code change 10

* Code change 11

* Code change 12

* Code change 13

* fixed transaction error for creating roles

* refactoring - 1

* refactoring

* Changes after Resolving conflicts

* Changes after Resolving conflicts 2

* Changes after Resolving conflicts 3

* Changes after Resolving access_type to accessType and queries

* Final changes

* Rbac-Optimimisation Change

* Rbac-Optimimisation Final Change

* refactoring

* Fixing Legacy Bug

* Fixing Visiblity issues all pods

* Merge with main

* Intialisation with capacity and adding logs

* Intialisation with capacity and adding logs

* Refactoring the changes

* Adding logs

* Adding logs 1

* Updating the audit logs for create Role

* Handling from code instead of script

* Merge Main

* Deleting Commented Code and adding role group view

* Fixing issues caught in Dev-Testing

* Removing script queries

* Fixing Issues of entity empty

* Dev-Testing Changes

* Final Changes

* Reducing duplication

* Reducing duplication

* Adding audit logs for superAdmin for user role mappings

* Visibility of permissions

* Visibility of permissions for devtron-apps

* Fixing Legacy issue for deleting roleGroup permissions

* deleting group and role mapping from casbin

* fix deadlock condition for user/role group update

* updated sql script no.

---------

Co-authored-by: shivam-nagar23 <[email protected]>

* fix: label key can be saved without value if saved without propagation (#3190)

* fix: length of key increased in global tag

* fix: not validating label value required tag as tags can be supplied without value if saved without propagation

* sql file renamed

* Fix: App grouping optimisation on ci pipelines (#3219)

* optimize ci pipeline grouping

* fix

* fix

* optimized ci pipelines fetch for app grouping - removed scripts and parent app id

* added observability for ci pipeline in app grouping

* fixed query for getting workflow runner by appId and envId, re-added ci trigger metrics (#3222)

* fix: updated rbac for devtron apps/helm pipeline (#3227)

* commented wrong rbac for devtron apps - helm pipeline

* updated comments:

* remove redundant files

---------

Co-authored-by: Shivam-nagar23 <[email protected]>
Co-authored-by: shivam-nagar23 <[email protected]>
Co-authored-by: Manish Agrawal <[email protected]>
Co-authored-by: Vikram <[email protected]>

Author: 4 people

util/k8s/k8sApplicationRestHandler.go

@@ -102,14 +102,15 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 			common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 			return
 		}
-
-		rbacObject, rbacObject2 = handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(request.AppIdentifier.ClusterId, request.AppIdentifier.Namespace, request.AppIdentifier.ReleaseName)
-		token := r.Header.Get("token")
-		ok := handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject) || handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject2)
-		if !ok {
-			common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
-			return
-		}
+		// TODO: this rbac is commented because we are only checking helm apps access whereas this api is being used in devtron apps too
+		// this  needs to be updated with conditional rbac depending on where the call came from,until then this will get prevented with the view page permission
+		//rbacObject, rbacObject2 = handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(request.AppIdentifier.ClusterId, request.AppIdentifier.Namespace, request.AppIdentifier.ReleaseName)
+		//token := r.Header.Get("token")
+		//ok := handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject) || handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject2)
+		//if !ok {
+		//	common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
+		//	return
+		//}
 	} else if request.ClusterId <= 0 {
 		common.WriteJsonResp(w, errors.New("can not resource manifest as target cluster is not provided"), nil, http.StatusBadRequest)
 		return
@@ -403,16 +404,17 @@ func (handler *K8sApplicationRestHandlerImpl) ListEvents(w http.ResponseWriter,
 			common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 			return
 		}
-		// RBAC enforcer applying
-		rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(request.AppIdentifier.ClusterId, request.AppIdentifier.Namespace, request.AppIdentifier.ReleaseName)
-		token := r.Header.Get("token")
-
-		ok := handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject) || handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject2)
-
-		if !ok {
-			common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
-			return
-		}
+		// TODO: this rbac is commented because we are only checking helm apps access whereas this api is being used in devtron apps too
+		// this  needs to be updated with conditional rbac depending on where the call came from,until then this will get prevented with the view page permission
+		//rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(request.AppIdentifier.ClusterId, request.AppIdentifier.Namespace, request.AppIdentifier.ReleaseName)
+		//token := r.Header.Get("token")
+		//
+		//ok := handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject) || handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject2)
+		//
+		//if !ok {
+		//	common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
+		//	return
+		//}
 		//RBAC enforcer Ends
 	} else if request.ClusterId > 0 {
 		if ok := handler.handleRbac(r, w, request, token, casbin.ActionGet); !ok {
@@ -492,16 +494,17 @@ func (handler *K8sApplicationRestHandlerImpl) GetPodLogs(w http.ResponseWriter,
 			common.WriteJsonResp(w, &apiError, nil, http.StatusBadRequest)
 			return
 		}
-		// RBAC enforcer applying
-		rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(request.AppIdentifier.ClusterId, request.AppIdentifier.Namespace, request.AppIdentifier.ReleaseName)
-		token := r.Header.Get("token")
-
-		ok := handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject) || handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject2)
-
-		if !ok {
-			common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
-			return
-		}
+		// TODO: this rbac is commented because we are only checking helm apps access whereas this api is being used in devtron apps too
+		// this  needs to be updated with conditional rbac depending on where the call came from,until then this will get prevented with the view page permission
+		//rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(request.AppIdentifier.ClusterId, request.AppIdentifier.Namespace, request.AppIdentifier.ReleaseName)
+		//token := r.Header.Get("token")
+		//
+		//ok := handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject) || handler.enforcer.Enforce(token, casbin.ResourceHelmApp, casbin.ActionGet, rbacObject2)
+		//
+		//if !ok {
+		//	common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
+		//	return
+		//}
 		//RBAC enforcer Ends
 	} else if clusterIdString != "" && namespace != "" {
 		clusterId, err := strconv.Atoi(clusterIdString)