devtron-labs · manish-agrawal-ai · Jan 6, 2023 · Dec 29, 2022 · Dec 29, 2022 · Dec 29, 2022
@@ -212,8 +212,8 @@ func (impl ApiTokenRestHandlerImpl) DeleteApiToken(w http.ResponseWriter, r *htt
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
 
-func (handler ApiTokenRestHandlerImpl) checkManagerAuth(token string, object string) bool {
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionUpdate, strings.ToLower(object)); !ok {
+func (handler ApiTokenRestHandlerImpl) checkManagerAuth(resource, token, object string) bool {
+	if ok := handler.enforcer.Enforce(token, resource, casbin.ActionUpdate, strings.ToLower(object)); !ok {
 		return false
 	}
 	return true

@@ -60,6 +60,12 @@ type RoleFilter struct {
 	Environment string `json:"environment"`
 	Action      string `json:"action"`
 	AccessType  string `json:"accessType"`
+
+	Cluster   string `json:"cluster"`
+	Namespace string `json:"namespace"`
+	Group     string `json:"group"`
+	Kind      string `json:"kind"`
+	Resource  string `json:"resource"`
 }
 
 type Role struct {
@@ -76,6 +82,12 @@ type RoleData struct {
 	Environment string `json:"environment"`
 	Action      string `json:"action"`
 	AccessType  string `json:"accessType"`
+
+	Cluster   string `json:"cluster"`
+	Namespace string `json:"namespace"`
+	Group     string `json:"group"`
+	Kind      string `json:"kind"`
+	Resource  string `json:"resource"`
 }
 
 type SSOLoginDto struct {
@@ -95,11 +107,11 @@ const (
 type PolicyType int
 
 const (
-	POLICY_DIRECT PolicyType = 1
-	POLICY_GROUP  PolicyType = 1
+	POLICY_DIRECT        PolicyType = 1
+	POLICY_GROUP         PolicyType = 1
+	SUPERADMIN                      = "role:super-admin___"
+	APP_ACCESS_TYPE_HELM            = "helm-app"
+	USER_TYPE_API_TOKEN             = "apiToken"
+	CHART_GROUP_ENTITY              = "chart-group"
+	CLUSTER_ENTITIY                 = "cluster"
 )
-
-const SUPERADMIN = "role:super-admin___"
-const APP_ACCESS_TYPE_HELM = "helm-app"
-
-const USER_TYPE_API_TOKEN = "apiToken"
@@ -51,7 +51,9 @@ type ClusterRestHandler interface {
 
 	FindAllForAutoComplete(w http.ResponseWriter, r *http.Request)
 	DeleteCluster(w http.ResponseWriter, r *http.Request)
+	GetClusterNamespaces(w http.ResponseWriter, r *http.Request)
 	GetAllClusterNamespaces(w http.ResponseWriter, r *http.Request)
+	FindAllForClusterPermission(w http.ResponseWriter, r *http.Request)
 }
 
 type ClusterRestHandlerImpl struct {
@@ -376,3 +378,62 @@ func (impl ClusterRestHandlerImpl) GetAllClusterNamespaces(w http.ResponseWriter
 
 	common.WriteJsonResp(w, nil, clusterNamespaces, http.StatusOK)
 }
+
+func (impl ClusterRestHandlerImpl) GetClusterNamespaces(w http.ResponseWriter, r *http.Request) {
+	//token := r.Header.Get("token")
+	vars := mux.Vars(r)
+	clusterIdString := vars["clusterId"]
+
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		impl.logger.Errorw("user not authorized", "error", err, "userId", userId)
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	token := r.Header.Get("token")
+	isActionUserSuperAdmin := false
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isActionUserSuperAdmin = true
+	}
+	clusterId, err := strconv.Atoi(clusterIdString)
+	if err != nil {
+		impl.logger.Errorw("failed to extract clusterId from param", "error", err, "clusterId", clusterIdString)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	allClusterNamespaces, err := impl.clusterService.FindAllNamespacesByUserIdAndClusterId(userId, clusterId, isActionUserSuperAdmin)
+	if err != nil {
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, nil, allClusterNamespaces, http.StatusOK)
+}
+
+func (impl ClusterRestHandlerImpl) FindAllForClusterPermission(w http.ResponseWriter, r *http.Request) {
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		impl.logger.Errorw("user not authorized", "error", err, "userId", userId)
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	token := r.Header.Get("token")
+	isActionUserSuperAdmin := false
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isActionUserSuperAdmin = true
+	}
+	clusterList, err := impl.clusterService.FindAllForClusterByUserId(userId, isActionUserSuperAdmin)
+	if err != nil {
+		impl.logger.Errorw("error in deleting cluster", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	// RBAC enforcer applying
+	// Already applied at service layer
+	//RBAC enforcer Ends
+
+	if len(clusterList) == 0 {
+		clusterList = make([]cluster.ClusterBean, 0)
+	}
+	common.WriteJsonResp(w, err, clusterList, http.StatusOK)
+}
@@ -57,11 +57,19 @@ func (impl ClusterRouterImpl) InitClusterRouter(clusterRouter *mux.Router) {
 		Methods("GET").
 		HandlerFunc(impl.clusterRestHandler.FindAllForAutoComplete)
 
+	clusterRouter.Path("/namespaces/{clusterId}").
+		Methods("GET").
+		HandlerFunc(impl.clusterRestHandler.GetClusterNamespaces)
+
 	clusterRouter.Path("/namespaces").
 		Methods("GET").
 		HandlerFunc(impl.clusterRestHandler.GetAllClusterNamespaces)
 
 	clusterRouter.Path("").
 		Methods("DELETE").
 		HandlerFunc(impl.clusterRestHandler.DeleteCluster)
+
+	clusterRouter.Path("/auth-list").
+		Methods("GET").
+		HandlerFunc(impl.clusterRestHandler.FindAllForClusterPermission)
 }
@@ -64,21 +64,24 @@ type userNamePassword struct {
 }
 
 type UserRestHandlerImpl struct {
-	userService      user.UserService
-	validator        *validator.Validate
-	logger           *zap.SugaredLogger
-	enforcer         casbin.Enforcer
-	roleGroupService user.RoleGroupService
+	userService       user.UserService
+	validator         *validator.Validate
+	logger            *zap.SugaredLogger
+	enforcer          casbin.Enforcer
+	roleGroupService  user.RoleGroupService
+	userCommonService user.UserCommonService
 }
 
 func NewUserRestHandlerImpl(userService user.UserService, validator *validator.Validate,
-	logger *zap.SugaredLogger, enforcer casbin.Enforcer, roleGroupService user.RoleGroupService) *UserRestHandlerImpl {
+	logger *zap.SugaredLogger, enforcer casbin.Enforcer, roleGroupService user.RoleGroupService,
+	userCommonService user.UserCommonService) *UserRestHandlerImpl {
 	userAuthHandler := &UserRestHandlerImpl{
-		userService:      userService,
-		validator:        validator,
-		logger:           logger,
-		enforcer:         enforcer,
-		roleGroupService: roleGroupService,
+		userService:       userService,
+		validator:         validator,
+		logger:            logger,
+		enforcer:          enforcer,
+		roleGroupService:  roleGroupService,
+		userCommonService: userCommonService,
 	}
 	return userAuthHandler
 }
@@ -507,6 +510,12 @@ func (handler UserRestHandlerImpl) CreateRoleGroup(w http.ResponseWriter, r *htt
 					return
 				}
 			}
+			if filter.Entity == bean.CLUSTER_ENTITIY && !isActionUserSuperAdmin {
+				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
+					common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+					return
+				}
+			}
 		}
 	} else {
 		if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionCreate, "*"); !ok {
@@ -881,8 +890,8 @@ func (handler UserRestHandlerImpl) InvalidateRoleCache(w http.ResponseWriter, r
 
 }
 
-func (handler UserRestHandlerImpl) CheckManagerAuth(token string, object string) bool {
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionUpdate, strings.ToLower(object)); !ok {
+func (handler UserRestHandlerImpl) CheckManagerAuth(resource, token string, object string) bool {
+	if ok := handler.enforcer.Enforce(token, resource, casbin.ActionUpdate, strings.ToLower(object)); !ok {
 		return false
 	}
 	return true

@@ -11,11 +11,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/dynamic"
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/utils/pointer"
+	"net/http"
+	"strings"
 )
 
 type K8sClientService interface {
@@ -25,6 +28,9 @@ type K8sClientService interface {
 	DeleteResource(restConfig *rest.Config, request *K8sRequestBean) (resp *ManifestResponse, err error)
 	ListEvents(restConfig *rest.Config, request *K8sRequestBean) (*EventsResponse, error)
 	GetPodLogs(restConfig *rest.Config, request *K8sRequestBean) (io.ReadCloser, error)
+	GetApiResources(restConfig *rest.Config, includeOnlyVerb string) ([]*K8sApiResource, error)
+	GetResourceList(restConfig *rest.Config, request *K8sRequestBean) (*ResourceListResponse, bool, error)
+	ApplyResource(restConfig *rest.Config, request *K8sRequestBean, manifest string) (*ManifestResponse, error)
 }
 
 type K8sClientServiceImpl struct {
@@ -66,6 +72,10 @@ type EventsResponse struct {
 	Events *apiv1.EventList `json:"events,omitempty"`
 }
 
+type ResourceListResponse struct {
+	Resources unstructured.UnstructuredList `json:"resources,omitempty"`
+}
+
 func (impl K8sClientServiceImpl) GetResource(restConfig *rest.Config, request *K8sRequestBean) (*ManifestResponse, error) {
 	resourceIf, namespaced, err := impl.GetResourceIf(restConfig, request)
 	if err != nil {
@@ -251,6 +261,36 @@ func (impl K8sClientServiceImpl) GetResourceIf(restConfig *rest.Config, request
 	return dynamicIf.Resource(resource), apiResource.Namespaced, nil
 }
 
+func (impl K8sClientServiceImpl) GetResourceIfWithAcceptHeader(restConfig *rest.Config, request *K8sRequestBean) (resourceIf dynamic.NamespaceableResourceInterface, namespaced bool, err error) {
+	resourceIdentifier := request.ResourceIdentifier
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(restConfig)
+	if err != nil {
+		impl.logger.Errorw("error in getting k8s client", "err", err)
+		return nil, false, err
+	}
+	apiResource, err := ServerResourceForGroupVersionKind(discoveryClient, resourceIdentifier.GroupVersionKind)
+	if err != nil {
+		impl.logger.Errorw("error in getting server resource", "err", err)
+		return nil, false, err
+	}
+	resource := resourceIdentifier.GroupVersionKind.GroupVersion().WithResource(apiResource.Name)
+	wt := restConfig.WrapTransport // Reference: https://github.com/kubernetes/client-go/issues/407
+	restConfig.WrapTransport = func(rt http.RoundTripper) http.RoundTripper {
+		if wt != nil {
+			rt = wt(rt)
+		}
+		return &HeaderAdder{
+			rt: rt,
+		}
+	}
+	dynamicIf, err := dynamic.NewForConfig(restConfig)
+	if err != nil {
+		impl.logger.Errorw("error in getting dynamic interface for resource", "err", err)
+		return nil, false, err
+	}
+	return dynamicIf.Resource(resource), apiResource.Namespaced, nil
+}
+
 func ServerResourceForGroupVersionKind(discoveryClient discovery.DiscoveryInterface, gvk schema.GroupVersionKind) (*metav1.APIResource, error) {
 	resources, err := discoveryClient.ServerResourcesForGroupVersion(gvk.GroupVersion().String())
 	if err != nil {
@@ -263,3 +303,107 @@ func ServerResourceForGroupVersionKind(discoveryClient discovery.DiscoveryInterf
 	}
 	return nil, errors.NewNotFound(schema.GroupResource{Group: gvk.Group, Resource: gvk.Kind}, "")
 }
+
+// if verb is supplied empty, that means - return all
+func (impl K8sClientServiceImpl) GetApiResources(restConfig *rest.Config, includeOnlyVerb string) ([]*K8sApiResource, error) {
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(restConfig)
+	if err != nil {
+		impl.logger.Errorw("error in getting dynamic k8s client", "err", err)
+		return nil, err
+	}
+
+	apiResourcesListFromK8s, err := discoveryClient.ServerPreferredResources()
+	if err != nil {
+		impl.logger.Errorw("error in getting api-resources from k8s", "err", err)
+		return nil, err
+	}
+
+	var apiResources []*K8sApiResource
+	for _, apiResourceListFromK8s := range apiResourcesListFromK8s {
+		if apiResourceListFromK8s != nil {
+			for _, apiResourceFromK8s := range apiResourceListFromK8s.APIResources {
+				var includeResource bool
+				if len(includeOnlyVerb) > 0 {
+					for _, verb := range apiResourceFromK8s.Verbs {
+						if verb == includeOnlyVerb {
+							includeResource = true
+							break
+						}
+					}
+				} else {
+					includeResource = true
+				}
+				if !includeResource {
+					continue
+				}
+				var group string
+				var version string
+				gv := apiResourceListFromK8s.GroupVersion
+				if len(gv) > 0 {
+					splitGv := strings.Split(gv, "/")
+					if len(splitGv) == 1 {
+						version = splitGv[0]
+					} else {
+						group = splitGv[0]
+						version = splitGv[1]
+					}
+				}
+				apiResources = append(apiResources, &K8sApiResource{
+					Gvk: schema.GroupVersionKind{
+						Group:   group,
+						Version: version,
+						Kind:    apiResourceFromK8s.Kind,
+					},
+					Namespaced: apiResourceFromK8s.Namespaced,
+				})
+			}
+		}
+	}
+	return apiResources, nil
+}
+
+func (impl K8sClientServiceImpl) GetResourceList(restConfig *rest.Config, request *K8sRequestBean) (*ResourceListResponse, bool, error) {
+	resourceIf, namespaced, err := impl.GetResourceIfWithAcceptHeader(restConfig, request)
+	if err != nil {
+		impl.logger.Errorw("error in getting dynamic interface for resource", "err", err)
+		return nil, namespaced, err
+	}
+	resourceIdentifier := request.ResourceIdentifier
+	var resp *unstructured.UnstructuredList
+	listOptions := metav1.ListOptions{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       resourceIdentifier.GroupVersionKind.Kind,
+			APIVersion: resourceIdentifier.GroupVersionKind.GroupVersion().String(),
+		},
+	}
+	if len(resourceIdentifier.Namespace) > 0 && namespaced {
+		resp, err = resourceIf.Namespace(resourceIdentifier.Namespace).List(context.Background(), listOptions)
+	} else {
+		resp, err = resourceIf.List(context.Background(), listOptions)
+	}
+	if err != nil {
+		impl.logger.Errorw("error in getting resource", "err", err, "resource", resourceIdentifier)
+		return nil, namespaced, err
+	}
+	return &ResourceListResponse{*resp}, namespaced, nil
+}
+
+func (impl K8sClientServiceImpl) ApplyResource(restConfig *rest.Config, request *K8sRequestBean, manifest string) (*ManifestResponse, error) {
+	resourceIf, namespaced, err := impl.GetResourceIf(restConfig, request)
+	if err != nil {
+		impl.logger.Errorw("error in getting dynamic interface for resource", "err", err)
+		return nil, err
+	}
+	resourceIdentifier := request.ResourceIdentifier
+	var resp *unstructured.Unstructured
+	if len(resourceIdentifier.Namespace) > 0 && namespaced {
+		resp, err = resourceIf.Namespace(resourceIdentifier.Namespace).Patch(context.Background(), resourceIdentifier.Name, types.StrategicMergePatchType, []byte(manifest), metav1.PatchOptions{FieldManager: "patch"})
+	} else {
+		resp, err = resourceIf.Patch(context.Background(), resourceIdentifier.Name, types.StrategicMergePatchType, []byte(manifest), metav1.PatchOptions{FieldManager: "patch"})
+	}
+	if err != nil {
+		impl.logger.Errorw("error in applying resource", "err", err)
+		return nil, err
+	}
+	return &ManifestResponse{*resp}, nil
+}