devtron-labs · Shivam-nagar23 · Jan 23, 2024 · Jan 11, 2024 · Jan 11, 2024 · Jan 11, 2024
@@ -203,8 +203,8 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 		common.WriteJsonResp(w, err, resource, http.StatusInternalServerError)
 		return
 	}
-	if resource != nil {
-		err = resource.SetRunningEphemeralContainers()
+	if resource != nil && resource.ManifestResponse != nil {
+		err = resource.ManifestResponse.SetRunningEphemeralContainers()
 		if err != nil {
 			handler.logger.Errorw("error in setting running ephemeral containers and setting them in resource response", "err", err)
 			common.WriteJsonResp(w, err, resource, http.StatusInternalServerError)
@@ -216,10 +216,10 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 	// Obfuscate secret if user does not have edit access
 	if request.AppIdentifier == nil && request.DevtronAppIdentifier == nil && request.ClusterId > 0 {
 		// Verify update access for Resource Browser
-		canUpdate = handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionUpdate))
+		canUpdate = handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.ManifestResponse.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionUpdate))
 		if !canUpdate {
 			// Verify read access for Resource Browser
-			readAllowed := handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionGet))
+			readAllowed := handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.ManifestResponse.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionGet))
 			if !readAllowed {
 				common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
 				return
@@ -228,14 +228,16 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 	}
 	if !canUpdate && resource != nil {
 		// Hide secret for read only access
-		modifiedManifest, err := k8sObjectsUtil.HideValuesIfSecret(&resource.Manifest)
+		modifiedManifest, err := k8sObjectsUtil.HideValuesIfSecret(&resource.ManifestResponse.Manifest)
 		if err != nil {
 			handler.logger.Errorw("error in hiding secret values", "err", err)
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 			return
 		}
-		resource.Manifest = *modifiedManifest
+		resource.ManifestResponse.Manifest = *modifiedManifest
 	}
+	// setting flag for secret view access only for resource browser
+	resource.SecretViewAccess = canUpdate
 
 	common.WriteJsonResp(w, nil, resource, http.StatusOK)
 }

@@ -838,7 +838,7 @@ func (impl *UserTerminalAccessServiceImpl) getPodManifest(ctx context.Context, c
 			return nil, err
 		}
 	}
-	return response, nil
+	return response.ManifestResponse, nil
 }
 
 func (impl *UserTerminalAccessServiceImpl) getPodRequestBean(clusterId int, podName string, namespace string) (*k8s.ResourceRequestBean, error) {
@@ -1130,7 +1130,7 @@ func (impl *UserTerminalAccessServiceImpl) EditTerminalPodManifest(ctx context.C
 func (impl *UserTerminalAccessServiceImpl) checkOtherPodExists(ctx context.Context, podName, namespace string, clusterId int) bool {
 	podRequestBean, _ := impl.getPodRequestBean(clusterId, podName, namespace)
 	res, _ := impl.K8sCommonService.GetResource(ctx, podRequestBean)
-	if res != nil {
+	if res != nil && res.ManifestResponse != nil {
 		return true
 	}
 	return false

@@ -27,7 +27,7 @@ import (
 )
 
 type K8sCommonService interface {
-	GetResource(ctx context.Context, request *ResourceRequestBean) (resp *k8s.ManifestResponse, err error)
+	GetResource(ctx context.Context, request *ResourceRequestBean) (resp *ResourceGetResponse, err error)
 	UpdateResource(ctx context.Context, request *ResourceRequestBean) (resp *k8s.ManifestResponse, err error)
 	DeleteResource(ctx context.Context, request *ResourceRequestBean) (resp *k8s.ManifestResponse, err error)
 	ListEvents(ctx context.Context, request *ResourceRequestBean) (*k8s.EventsResponse, error)
@@ -65,7 +65,7 @@ func NewK8sCommonServiceImpl(Logger *zap.SugaredLogger, k8sUtils *k8s.K8sService
 	}
 }
 
-func (impl *K8sCommonServiceImpl) GetResource(ctx context.Context, request *ResourceRequestBean) (*k8s.ManifestResponse, error) {
+func (impl *K8sCommonServiceImpl) GetResource(ctx context.Context, request *ResourceRequestBean) (*ResourceGetResponse, error) {
 	clusterId := request.ClusterId
 	//getting rest config by clusterId
 	restConfig, err, _ := impl.GetRestConfigByClusterId(ctx, clusterId)
@@ -79,7 +79,10 @@ func (impl *K8sCommonServiceImpl) GetResource(ctx context.Context, request *Reso
 		impl.logger.Errorw("error in getting resource", "err", err, "resource", resourceIdentifier.Name)
 		return nil, err
 	}
-	return resp, nil
+	response := &ResourceGetResponse{
+		ManifestResponse: resp,
+	}
+	return response, nil
 }
 
 func (impl *K8sCommonServiceImpl) UpdateResource(ctx context.Context, request *ResourceRequestBean) (*k8s.ManifestResponse, error) {
@@ -292,7 +295,11 @@ func (impl *K8sCommonServiceImpl) getManifestsByBatch(ctx context.Context, reque
 			wg.Add(1)
 			go func(j int) {
 				resp := BatchResourceResponse{}
-				resp.ManifestResponse, resp.Err = impl.GetResource(ctx, &requests[i+j])
+				response, err := impl.GetResource(ctx, &requests[i+j])
+				if response != nil {
+					resp.ManifestResponse = response.ManifestResponse
+				}
+				resp.Err = err
 				res[i+j] = resp
 				wg.Done()
 			}(j)

@@ -338,7 +338,7 @@ func (impl *K8sApplicationServiceImpl) ValidateClusterResourceRequest(ctx contex
 		impl.logger.Errorw("error in getting resource", "err", err, "request", clusterResourceRequest)
 		return false, err
 	}
-	return impl.validateResourceManifest(clusterName, respManifest.Manifest, k8sRequest.ResourceIdentifier.GroupVersionKind, rbacCallback), nil
+	return impl.validateResourceManifest(clusterName, respManifest.ManifestResponse.Manifest, k8sRequest.ResourceIdentifier.GroupVersionKind, rbacCallback), nil
 }
 
 func (impl *K8sApplicationServiceImpl) validateResourceManifest(clusterName string, resourceManifest unstructured.Unstructured, gvk schema.GroupVersionKind, rbacCallback func(clusterName string, resourceIdentifier k8s2.ResourceIdentifier) bool) bool {

@@ -35,3 +35,8 @@ type PodContainerList struct {
 	InitContainers      []string
 	EphemeralContainers []string
 }
+
+type ResourceGetResponse struct {
+	ManifestResponse *k8s.ManifestResponse `json:"manifestResponse"`
+	SecretViewAccess bool                  `json:"secretViewAccess"` // imp: only for resource browser, this is being used to check whether a user can see obscured secret values or not.
+}
@@ -472,12 +472,12 @@ func (impl *K8sCapacityServiceImpl) updateManifestData(ctx context.Context, node
 		K8sRequest: manifestRequest,
 		ClusterId:  clusterId,
 	}
-	manifestResponse, err := impl.k8sCommonService.GetResource(ctx, request)
+	response, err := impl.k8sCommonService.GetResource(ctx, request)
 	if err != nil {
 		impl.logger.Errorw("error in getting node manifest", "err", err)
 		return err
 	}
-	nodeDetail.Manifest = manifestResponse.Manifest
+	nodeDetail.Manifest = response.ManifestResponse.Manifest
 	return nil
 }
 

@@ -4525,7 +4525,7 @@ func (impl *WorkflowDagExecutorImpl) autoscalingCheckBeforeTrigger(ctx context.C
 				impl.logger.Errorw("error occurred while fetching resource for app", "resourceName", hpaResourceRequest.ResourceName, "err", err)
 				return merged
 			}
-			resourceManifest = k8sResource.Manifest.Object
+			resourceManifest = k8sResource.ManifestResponse.Manifest.Object
 		}
 		if len(resourceManifest) > 0 {
 			statusMap := resourceManifest["status"].(map[string]interface{})

@@ -466,6 +466,7 @@ func (impl ConfigMapHistoryServiceImpl) GetHistoryForDeployedCMCSById(ctx contex
 			VariableSnapshot: variableSnapshotMap,
 			ResolvedValue:    resolvedTemplate,
 		},
+		SecretViewAccess: userHasAdminAccess,
 	}
 	if configType == repository.SECRET_TYPE {
 		if config.Data != nil {

@@ -58,6 +58,7 @@ type HistoryDetailDto struct {
 	SubPath            *bool                `json:"subPath,omitempty"`
 	FilePermission     string               `json:"filePermission,omitempty"`
 	CodeEditorValue    *HistoryDetailConfig `json:"codeEditorValue"`
+	SecretViewAccess   bool                 `json:"secretViewAccess"` // this is being used to check whether a user can see obscured secret values or not.
 }
 
 type HistoryDetailConfig struct {

@@ -357,6 +357,18 @@ components:
         patch:
           type: string
     ResourceGetResponse:
+      type: object
+      properties:
+        manifestResponse:
+          $ref: '#/components/schemas/ManifestResponse'
+        secretViewAccess:
+          type: boolean
+          description: >
+            Indicates whether a user can see obscured secret values or not.
+      required:
+        - manifestResponse
+        - secretViewAccess
+    ManifestResponse:
       type: object
       properties:
         manifest: