devtron-labs
diff --git a/‎api/auth/user/UserRestHandler.go‎
Lines changed: 280 additions & 152 deletions b/‎api/auth/user/UserRestHandler.go‎
Lines changed: 280 additions & 152 deletions
diff --git a/‎api/bean/UserRequest.go‎
Lines changed: 1 addition & 0 deletions b/‎api/bean/UserRequest.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/helm-app/service/HelmAppService.go‎
Lines changed: 4 additions & 4 deletions b/‎api/helm-app/service/HelmAppService.go‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎api/restHandler/DockerRegRestHandler.go‎
Lines changed: 4 additions & 15 deletions b/‎api/restHandler/DockerRegRestHandler.go‎
Lines changed: 4 additions & 15 deletions
diff --git a/‎cmd/external-app/wire_gen.go‎
Lines changed: 1 addition & 1 deletion b/‎cmd/external-app/wire_gen.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/apiToken/ApiTokenService.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/apiToken/ApiTokenService.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/auth/user/RoleGroupService.go‎
Lines changed: 33 additions & 26 deletions b/‎pkg/auth/user/RoleGroupService.go‎
Lines changed: 33 additions & 26 deletions
@@ -118,6 +118,7 @@ const (
 	USER_TYPE_API_TOKEN             = "apiToken"
 	CHART_GROUP_ENTITY              = "chart-group"
 	CLUSTER_ENTITIY                 = "cluster"
+	ACTION_SUPERADMIN               = "super-admin"
 )
 
 type UserListingResponse struct {
 
@@ -86,7 +86,7 @@ type HelmAppService interface {
 	UpdateApplicationWithChartInfoWithExtraValues(ctx context.Context, appIdentifier *helmBean.AppIdentifier, chartRepository *gRPC.ChartRepository, extraValues map[string]interface{}, extraValuesYamlUrl string, useLatestChartVersion bool) (*openapi.UpdateReleaseResponse, error)
 	TemplateChart(ctx context.Context, templateChartRequest *openapi2.TemplateChartRequest) (*openapi2.TemplateChartResponse, error)
 	GetNotes(ctx context.Context, request *gRPC.InstallReleaseRequest) (string, error)
-	ValidateOCIRegistry(ctx context.Context, OCIRegistryRequest *gRPC.RegistryCredential) bool
+	ValidateOCIRegistry(ctx context.Context, OCIRegistryRequest *gRPC.RegistryCredential) (bool, error)
 	GetRevisionHistoryMaxValue(appType bean.SourceAppType) int32
 	GetResourceTreeForExternalResources(ctx context.Context, clusterId int, clusterConfig *gRPC.ClusterConfig, resources []*gRPC.ExternalResourceDetail) (*gRPC.ResourceTreeResponse, error)
 	CheckIfNsExistsForClusterIds(clusterIdToNsMap map[int]string) error
@@ -1022,13 +1022,13 @@ func (impl *HelmAppServiceImpl) GetNotes(ctx context.Context, request *gRPC.Inst
 	return notesTxt, err
 }
 
-func (impl *HelmAppServiceImpl) ValidateOCIRegistry(ctx context.Context, OCIRegistryRequest *gRPC.RegistryCredential) bool {
+func (impl *HelmAppServiceImpl) ValidateOCIRegistry(ctx context.Context, OCIRegistryRequest *gRPC.RegistryCredential) (bool, error) {
 	response, err := impl.helmAppClient.ValidateOCIRegistry(ctx, OCIRegistryRequest)
 	if err != nil {
 		impl.logger.Errorw("error in fetching chart", "err", err)
-		return false
+		return false, err
 	}
-	return response.IsLoggedIn
+	return response.IsLoggedIn, nil
 }
 
 func (impl *HelmAppServiceImpl) DecodeAppId(appId string) (*helmBean.AppIdentifier, error) {
 
@@ -24,7 +24,6 @@ import (
 
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	repository "github.com/devtron-labs/devtron/internal/sql/repository/dockerRegistry"
-	"github.com/devtron-labs/devtron/internal/util"
 	chartProviderService "github.com/devtron-labs/devtron/pkg/appStore/chartProvider"
 	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
 	"github.com/devtron-labs/devtron/pkg/auth/user"
@@ -233,13 +232,8 @@ func (impl DockerRegRestHandlerImpl) SaveDockerRegistryConfig(w http.ResponseWri
 	//RBAC enforcer Ends
 
 	// valid registry credentials from kubelink
-	if isValid := impl.dockerRegistryConfig.ValidateRegistryCredentials(&bean); !isValid {
-		impl.logger.Errorw("registry credentials validation err, SaveDockerRegistryConfig", "err", err, "payload", bean)
-		err = &util.ApiError{
-			HttpStatusCode:  http.StatusBadRequest,
-			InternalMessage: "Invalid authentication credentials. Please verify.",
-			UserMessage:     "Invalid authentication credentials. Please verify.",
-		}
+	if err = impl.dockerRegistryConfig.ValidateRegistryCredentials(&bean); err != nil {
+		impl.logger.Errorw("registry credentials validation err, SaveDockerRegistryConfig", "err", err)
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
@@ -349,13 +343,8 @@ func (impl DockerRegRestHandlerImpl) ValidateDockerRegistryConfig(w http.Respons
 		bean.Cert = existingStore.Cert
 	}
 	// valid registry credentials from kubelink
-	if isValid := impl.dockerRegistryConfig.ValidateRegistryCredentials(&bean); !isValid {
-		impl.logger.Errorw("registry credentials validation err, SaveDockerRegistryConfig", "err", err, "payload", bean)
-		err = &util.ApiError{
-			HttpStatusCode:  http.StatusBadRequest,
-			InternalMessage: "Invalid authentication credentials. Please verify.",
-			UserMessage:     "Invalid authentication credentials. Please verify.",
-		}
+	if err = impl.dockerRegistryConfig.ValidateRegistryCredentials(&bean); err != nil {
+		impl.logger.Errorw("registry credentials validation err, SaveDockerRegistryConfig", "err", err)
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
 
@@ -205,7 +205,7 @@ func (impl ApiTokenServiceImpl) CreateApiToken(request *openapi.CreateApiTokenRe
 		EmailId:  email,
 		UserType: bean.USER_TYPE_API_TOKEN,
 	}
-	createUserResponse, _, err := impl.userService.CreateUser(&createUserRequest, token, managerAuth)
+	createUserResponse, err := impl.userService.CreateUser(&createUserRequest)
 	if err != nil {
 		impl.logger.Errorw("error while creating user for api-token", "email", email, "error", err)
 		return nil, err
 
@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"github.com/devtron-labs/devtron/pkg/auth/user/repository/helper"
+	"net/http"
 	"strings"
 	"time"
 
@@ -37,7 +38,8 @@ import (
 
 type RoleGroupService interface {
 	CreateRoleGroup(request *bean.RoleGroup) (*bean.RoleGroup, error)
-	UpdateRoleGroup(request *bean.RoleGroup, token string, managerAuth func(resource, token string, object string) bool) (*bean.RoleGroup, error)
+	UpdateRoleGroup(request *bean.RoleGroup, token string, checkRBACForGroupUpdate func(token string, groupInfo *bean.RoleGroup,
+		eliminatedRoleFilters []*repository.RoleModel) (isAuthorised bool, err error)) (*bean.RoleGroup, error)
 	FetchDetailedRoleGroups(req *bean.ListingRequest) ([]*bean.RoleGroup, error)
 	FetchRoleGroupsById(id int32) (*bean.RoleGroup, error)
 	FetchRoleGroups() ([]*bean.RoleGroup, error)
@@ -136,21 +138,21 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 			for index, roleFilter := range request.RoleFilters {
 				entity := roleFilter.Entity
 				if entity == bean.CLUSTER_ENTITIY {
-					policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, model, nil, "", nil, tx, mapping[index])
+					policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, model, nil, tx, mapping[index])
 					policies = append(policies, policiesToBeAdded...)
 					if err != nil {
 						// making it non-blocking as it is being done for multiple Role filters and does not want this to be blocking.
 						impl.logger.Errorw("error in creating updating role group for cluster entity", "err", err, "roleFilter", roleFilter)
 					}
 				} else if entity == bean2.EntityJobs {
-					policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, model, nil, "", nil, tx, mapping[index])
+					policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, model, nil, tx, mapping[index])
 					policies = append(policies, policiesToBeAdded...)
 					if err != nil {
 						// making it non-blocking as it is being done for multiple Role filters and does not want this to be blocking.
 						impl.logger.Errorw("error in creating updating role group for jobs entity", "err", err, "roleFilter", roleFilter)
 					}
 				} else {
-					policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, model, nil, "", nil, tx, mapping[index])
+					policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, model, nil, tx, mapping[index])
 					policies = append(policies, policiesToBeAdded...)
 					if err != nil {
 						// making it non-blocking as it is being done for multiple Role filters and does not want this to be blocking.
@@ -199,7 +201,7 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 	return request, nil
 }
 
-func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, token string, managerAuth func(resource string, token string, object string) bool, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
+func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
 	//var policiesToBeAdded []casbin2.Policy
 	namespaces := strings.Split(roleFilter.Namespace, ",")
 	groups := strings.Split(roleFilter.Group, ",")
@@ -213,12 +215,6 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFil
 		for _, group := range groups {
 			for _, kind := range kinds {
 				for _, resource := range resources {
-					if managerAuth != nil {
-						isValidAuth := impl.userCommonService.CheckRbacForClusterEntity(roleFilter.Cluster, namespace, group, kind, resource, token, managerAuth)
-						if !isValidAuth {
-							continue
-						}
-					}
 					roleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, "", "", "", "", accessType, roleFilter.Cluster, namespace, group, kind, resource, actionType, false, "")
 					if err != nil {
 						impl.logger.Errorw("error in getting new role model by filter")
@@ -263,7 +259,7 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFil
 	return policiesToBeAdded, nil
 }
 
-func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForOtherEntity(roleFilter bean.RoleFilter, request *bean.RoleGroup, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, token string, managerAuth func(resource string, token string, object string) bool, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
+func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForOtherEntity(roleFilter bean.RoleFilter, request *bean.RoleGroup, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
 	actionType := roleFilter.Action
 	accessType := roleFilter.AccessType
 	entity := roleFilter.Entity
@@ -319,7 +315,7 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForOtherEntity(roleFilte
 	return policiesToBeAdded, nil
 }
 
-func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForJobsEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, token string, managerAuth func(resource string, token string, object string) bool, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
+func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForJobsEntity(roleFilter bean.RoleFilter, userId int32, model *repository.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, tx *pg.Tx, capacity int) ([]casbin2.Policy, error) {
 	actionType := roleFilter.Action
 	accessType := roleFilter.AccessType
 	entity := roleFilter.Entity
@@ -372,7 +368,8 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForJobsEntity(roleFilter
 	return policiesToBeAdded, nil
 }
 
-func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token string, managerAuth func(resource, token string, object string) bool) (*bean.RoleGroup, error) {
+func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token string, checkRBACForGroupUpdate func(token string, groupInfo *bean.RoleGroup,
+	eliminatedRoleFilters []*repository.RoleModel) (isAuthorised bool, err error)) (*bean.RoleGroup, error) {
 	dbConnection := impl.roleGroupRepository.GetConnection()
 	tx, err := dbConnection.Begin()
 	if err != nil {
@@ -404,6 +401,8 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 	var eliminatedPolicies []casbin2.Policy
 	capacity, mapping := impl.userCommonService.GetCapacityForRoleFilter(request.RoleFilters)
 	var policies = make([]casbin2.Policy, 0, capacity)
+	var eliminatedRoleModels []*repository.RoleModel
+	var items []casbin2.Policy
 	if request.SuperAdmin == false {
 		roleGroupMappingModels, err := impl.roleGroupRepository.GetRoleGroupRoleMappingByRoleGroupId(roleGroup.Id)
 		if err != nil {
@@ -417,7 +416,7 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 
 		// DELETE PROCESS STARTS
 
-		items, err := impl.userCommonService.RemoveRolesAndReturnEliminatedPoliciesForGroups(request, existingRoles, eliminatedRoles, tx, token, managerAuth)
+		items, eliminatedRoleModels, err = impl.userCommonService.RemoveRolesAndReturnEliminatedPoliciesForGroups(request, existingRoles, eliminatedRoles, tx)
 		if err != nil {
 			return nil, err
 		}
@@ -427,32 +426,24 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 		//Adding New Policies
 		for index, roleFilter := range request.RoleFilters {
 			if roleFilter.Entity == bean.CLUSTER_ENTITIY {
-				policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, roleGroup, existingRoles, token, managerAuth, tx, mapping[index])
+				policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, roleGroup, existingRoles, tx, mapping[index])
 				policies = append(policies, policiesToBeAdded...)
 				if err != nil {
 					impl.logger.Errorw("error in creating updating role group for cluster entity", "err", err, "roleFilter", roleFilter)
 				}
 			} else {
-				if len(roleFilter.Team) > 0 {
-					// check auth only for apps permission, skip for chart group
-					rbacObject := fmt.Sprintf("%s", roleFilter.Team)
-					isValidAuth := managerAuth(casbin2.ResourceUser, token, rbacObject)
-					if !isValidAuth {
-						continue
-					}
-				}
 				switch roleFilter.Entity {
 				case bean2.EntityJobs:
 					{
-						policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, roleGroup, existingRoles, token, managerAuth, tx, mapping[index])
+						policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForJobsEntity(roleFilter, request.UserId, roleGroup, existingRoles, tx, mapping[index])
 						policies = append(policies, policiesToBeAdded...)
 						if err != nil {
 							impl.logger.Errorw("error in creating updating role group for jobs entity", "err", err, "roleFilter", roleFilter)
 						}
 					}
 				default:
 					{
-						policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, roleGroup, existingRoles, token, managerAuth, tx, mapping[index])
+						policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForOtherEntity(roleFilter, request, roleGroup, existingRoles, tx, mapping[index])
 						policies = append(policies, policiesToBeAdded...)
 						if err != nil {
 							impl.logger.Errorw("error in creating updating role group for other entity", "err", err, "roleFilter", roleFilter)
@@ -486,6 +477,22 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 			policies = append(policies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(roleGroup.CasbinName), Obj: casbin2.Object(roleModel.Role)})
 		}
 	}
+
+	if checkRBACForGroupUpdate != nil {
+		isAuthorised, err := checkRBACForGroupUpdate(token, request, eliminatedRoleModels)
+		if err != nil {
+			impl.logger.Errorw("error in checking RBAC for role group update", "err", err, "request", request)
+			return nil, err
+		} else if !isAuthorised {
+			impl.logger.Errorw("rbac check failed for role group update", "request", request)
+			return nil, &util.ApiError{
+				Code:           "403",
+				HttpStatusCode: http.StatusForbidden,
+				UserMessage:    "unauthorized",
+			}
+		}
+	}
+
 	//deleting policies from casbin
 	impl.logger.Debugw("eliminated policies", "eliminatedPolicies", eliminatedPolicies)
 	if len(eliminatedPolicies) > 0 {
Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@ const (`
`118`	`118`	`USER_TYPE_API_TOKEN = "apiToken"`
`119`	`119`	`CHART_GROUP_ENTITY = "chart-group"`
`120`	`120`	`CLUSTER_ENTITIY = "cluster"`
	`121`	`+ ACTION_SUPERADMIN = "super-admin"`
`121`	`122`	`)`
`122`	`123`
`123`	`124`	`type UserListingResponse struct {`
Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ func (impl ApiTokenServiceImpl) CreateApiToken(request *openapi.CreateApiTokenRe`
`205`	`205`	`EmailId: email,`
`206`	`206`	`UserType: bean.USER_TYPE_API_TOKEN,`
`207`	`207`	`}`
`208`		`- createUserResponse, _, err := impl.userService.CreateUser(&createUserRequest, token, managerAuth)`
	`208`	`+ createUserResponse, err := impl.userService.CreateUser(&createUserRequest)`
`209`	`209`	`if err != nil {`
`210`	`210`	`impl.logger.Errorw("error while creating user for api-token", "email", email, "error", err)`
`211`	`211`	`return nil, err`