main merge

Author: Ashish-devtron

Wire.go

@@ -228,6 +228,8 @@ func InitializeApp() (*App, error) {
 
 		pipeline.NewPipelineBuilderImpl,
 		wire.Bind(new(pipeline.PipelineBuilder), new(*pipeline.PipelineBuilderImpl)),
+		pipeline.NewBuildPipelineSwitchServiceImpl,
+		wire.Bind(new(pipeline.BuildPipelineSwitchService), new(*pipeline.BuildPipelineSwitchServiceImpl)),
 		pipeline.NewCiPipelineConfigServiceImpl,
 		wire.Bind(new(pipeline.CiPipelineConfigService), new(*pipeline.CiPipelineConfigServiceImpl)),
 		pipeline.NewCiMaterialConfigServiceImpl,

api/bean/AppView.go

@@ -69,6 +69,7 @@ type GenericNoteResponseBean struct {
 type JobContainer struct {
 	JobId          int                     `json:"jobId"`
 	JobName        string                  `json:"jobName""`
+	JobActualName  string                  `json:"appName""`
 	Description    GenericNoteResponseBean `json:"description"`
 	JobCiPipelines []JobCIPipeline         `json:"ciPipelines"'`
 }
@@ -87,6 +88,7 @@ type JobCIPipeline struct {
 type JobListingContainer struct {
 	JobId                        int       `sql:"job_id" json:"jobId"`
 	JobName                      string    `sql:"job_name" json:"jobName"`
+	JobActualName                string    `sql:"app_name" json:"appName"`
 	Description                  string    `sql:"description" json:"description"`
 	CiPipelineID                 int       `sql:"ci_pipeline_id" json:"ciPipelineID"`
 	CiPipelineName               string    `sql:"ci_pipeline_name" json:"ciPipelineName"`
@@ -161,6 +163,7 @@ type DeploymentDetailContainer struct {
 	Deprecated                    bool            `json:"deprecated"`
 	K8sVersion                    string          `json:"k8sVersion"`
 	CiArtifactId                  int             `json:"ciArtifactId"`
+	ParentArtifactId              int             `json:"parentArtifactId"`
 	ClusterId                     int             `json:"clusterId"`
 	DeploymentAppType             string          `json:"deploymentAppType"`
 	CiPipelineId                  int             `json:"-"`

api/bean/UserRequest.go

@@ -66,6 +66,7 @@ type RoleFilter struct {
 	Group     string `json:"group"`
 	Kind      string `json:"kind"`
 	Resource  string `json:"resource"`
+	Workflow  string `json:"workflow"`
 }
 
 type Role struct {

api/k8s/application/k8sApplicationRestHandler.go

@@ -201,6 +201,14 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 		common.WriteJsonResp(w, err, resource, http.StatusInternalServerError)
 		return
 	}
+	if resource != nil {
+		err = resource.SetRunningEphemeralContainers()
+		if err != nil {
+			handler.logger.Errorw("error in setting running ephemeral containers and setting them in resource response", "err", err)
+			common.WriteJsonResp(w, err, resource, http.StatusInternalServerError)
+			return
+		}
+	}
 
 	canUpdate := false
 	// Obfuscate secret if user does not have edit access

api/restHandler/AppListingRestHandler.go

@@ -26,9 +26,10 @@ import (
 	"github.com/caarlos0/env/v6"
 	k8sCommonBean "github.com/devtron-labs/common-lib/utils/k8s/commonBean"
 	"github.com/devtron-labs/common-lib/utils/k8s/health"
+	k8sObjectUtils "github.com/devtron-labs/common-lib/utils/k8sObjectsUtil"
 	"github.com/devtron-labs/devtron/api/bean"
 	client "github.com/devtron-labs/devtron/api/helm-app"
-	bean2 "github.com/devtron-labs/devtron/api/restHandler/bean"
+
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	"github.com/devtron-labs/devtron/client/argocdServer/application"
 	"github.com/devtron-labs/devtron/client/cron"
@@ -212,14 +213,45 @@ func (handler AppListingRestHandlerImpl) FetchJobs(w http.ResponseWriter, r *htt
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
 		return
 	}
+	user, err := handler.userService.GetById(userId)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
 	isSuperAdmin, err := handler.userService.IsSuperAdmin(int(userId))
-	if !isSuperAdmin || err != nil {
-		if err != nil {
-			handler.logger.Errorw("request err, CheckSuperAdmin", "err", isSuperAdmin, "isSuperAdmin", isSuperAdmin)
-		}
+	if err != nil {
+		handler.logger.Errorw("request err, CheckSuperAdmin", "err", isSuperAdmin, "isSuperAdmin", isSuperAdmin)
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
 		return
 	}
+	var validAppIds []int
+	//for non super admin users
+	if !isSuperAdmin {
+		userEmailId := strings.ToLower(user.EmailId)
+		rbacObjectsForAllAppsMap := handler.enforcerUtil.GetRbacObjectsForAllApps(helper.Job)
+		rbacObjectToAppIdMap := make(map[string]int)
+		rbacObjects := make([]string, len(rbacObjectsForAllAppsMap))
+		itr := 0
+		for appId, object := range rbacObjectsForAllAppsMap {
+			rbacObjects[itr] = object
+			rbacObjectToAppIdMap[object] = appId
+			itr++
+		}
+
+		result := handler.enforcer.EnforceByEmailInBatch(userEmailId, casbin.ResourceJobs, casbin.ActionGet, rbacObjects)
+		//O(n) loop, n = len(rbacObjectsForAllAppsMap)
+		for object, ok := range result {
+			if ok {
+				validAppIds = append(validAppIds, rbacObjectToAppIdMap[object])
+			}
+		}
+
+		if len(validAppIds) == 0 {
+			handler.logger.Infow("user doesn't have access to any app", "userId", userId)
+			common.WriteJsonResp(w, err, bean.JobContainerResponse{}, http.StatusOK)
+			return
+		}
+	}
 	var fetchJobListingRequest app.FetchAppListingRequest
 	decoder := json.NewDecoder(r.Body)
 	err = decoder.Decode(&fetchJobListingRequest)
@@ -228,6 +260,10 @@ func (handler AppListingRestHandlerImpl) FetchJobs(w http.ResponseWriter, r *htt
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
+
+	// fetching only those jobs whose access user has by setting valid app Ids.
+	fetchJobListingRequest.AppIds = validAppIds
+
 	jobs, err := handler.appListingService.FetchJobs(fetchJobListingRequest)
 	if err != nil {
 		handler.logger.Errorw("service err, FetchJobs", "err", err, "payload", fetchJobListingRequest)
@@ -259,21 +295,21 @@ func (handler AppListingRestHandlerImpl) FetchJobOverviewCiPipelines(w http.Resp
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
 		return
 	}
-	isSuperAdmin, err := handler.userService.IsSuperAdmin(int(userId))
-	if !isSuperAdmin || err != nil {
-		if err != nil {
-			handler.logger.Errorw("request err, CheckSuperAdmin", "err", isSuperAdmin, "isSuperAdmin", isSuperAdmin)
-		}
-		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
-		return
-	}
 	vars := mux.Vars(r)
 	jobId, err := strconv.Atoi(vars["jobId"])
 	if err != nil {
 		handler.logger.Errorw("request err, GetAppMetaInfo", "err", err, "jobId", jobId)
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
+	//RBAC
+	token := r.Header.Get("token")
+	object := handler.enforcerUtil.GetAppRBACNameByAppId(jobId)
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceJobs, casbin.ActionGet, object); !ok {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
+		return
+	}
+	//RBAC ENDS
 	job, err := handler.pipeline.GetApp(jobId)
 	if err != nil || job == nil || job.AppType != helper.Job {
 		handler.logger.Errorw("Job with the given Id does not exist", "err", err, "jobId", jobId)
@@ -718,7 +754,7 @@ func (handler AppListingRestHandlerImpl) FetchAppsByEnvironmentV2(w http.Respons
 	//for non super admin users
 	if !isActionUserSuperAdmin {
 		userEmailId := strings.ToLower(user.EmailId)
-		rbacObjectsForAllAppsMap := handler.enforcerUtil.GetRbacObjectsForAllApps()
+		rbacObjectsForAllAppsMap := handler.enforcerUtil.GetRbacObjectsForAllApps(helper.CustomApp)
 		rbacObjectToAppIdMap := make(map[string]int)
 		rbacObjects := make([]string, len(rbacObjectsForAllAppsMap))
 		itr := 0
@@ -1212,7 +1248,8 @@ func (handler AppListingRestHandlerImpl) FetchAppStageStatus(w http.ResponseWrit
 
 	// RBAC enforcer applying
 	object := handler.enforcerUtil.GetAppRBACName(app.AppName)
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionGet, object); !ok {
+	ok := handler.enforcerUtil.CheckAppRbacForAppOrJob(token, object, casbin.ActionGet)
+	if !ok {
 		common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
 		return
 	}
@@ -1285,7 +1322,8 @@ func (handler AppListingRestHandlerImpl) FetchMinDetailOtherEnvironment(w http.R
 
 	// RBAC enforcer applying
 	object := handler.enforcerUtil.GetAppRBACName(app.AppName)
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionGet, object); !ok {
+	ok := handler.enforcerUtil.CheckAppRbacForAppOrJob(token, object, casbin.ActionGet)
+	if !ok {
 		common.WriteJsonResp(w, err, "unauthorized user", http.StatusForbidden)
 		return
 	}
@@ -1542,7 +1580,7 @@ func (handler AppListingRestHandlerImpl) fetchResourceTree(w http.ResponseWriter
 			handler.logger.Errorw("error in getting pods by label", "err", err, "clusterId", cdPipeline.Environment.ClusterId, "namespace", cdPipeline.Environment.Namespace, "label", label)
 			return resourceTree, err
 		}
-		ephemeralContainersMap := bean2.ExtractEphemeralContainers(pods)
+		ephemeralContainersMap := k8sObjectUtils.ExtractEphemeralContainers(pods)
 		for _, metaData := range resp.PodMetadata {
 			metaData.EphemeralContainers = ephemeralContainersMap[metaData.Name]
 		}

api/restHandler/AppRestHandler.go

@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	client "github.com/devtron-labs/devtron/api/helm-app"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
+	"github.com/devtron-labs/devtron/internal/sql/repository/helper"
 	"github.com/devtron-labs/devtron/pkg/app"
 	"github.com/devtron-labs/devtron/pkg/bean"
 	"github.com/devtron-labs/devtron/pkg/genericNotes"
@@ -90,7 +91,7 @@ func (handler AppRestHandlerImpl) GetAllLabels(w http.ResponseWriter, r *http.Re
 		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		return
 	}
-	objects := handler.enforcerUtil.GetRbacObjectsForAllApps()
+	objects := handler.enforcerUtil.GetRbacObjectsForAllApps(helper.CustomApp)
 	for _, label := range labels {
 		object := objects[label.AppId]
 		if ok := handler.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionGet, object); ok {
@@ -117,7 +118,8 @@ func (handler AppRestHandlerImpl) GetAppMetaInfo(w http.ResponseWriter, r *http.
 	//rback implementation starts here
 	token := r.Header.Get("token")
 	object := handler.enforcerUtil.GetAppRBACNameByAppId(appId)
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionGet, object); !ok {
+	ok := handler.enforcerUtil.CheckAppRbacForAppOrJob(token, object, casbin.ActionGet)
+	if !ok {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
 		return
 	}
@@ -207,14 +209,16 @@ func (handler AppRestHandlerImpl) UpdateApp(w http.ResponseWriter, r *http.Reque
 
 	// check for existing project/app permission
 	object := handler.enforcerUtil.GetAppRBACNameByAppId(request.Id)
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionUpdate, object); !ok {
+	ok := handler.enforcerUtil.CheckAppRbacForAppOrJob(token, object, casbin.ActionUpdate)
+	if !ok {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
 		return
 	}
 
 	// check for request project/app permission
 	object = handler.enforcerUtil.GetAppRBACNameByTeamIdAndAppId(request.TeamId, request.Id)
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionUpdate, object); !ok {
+	ok = handler.enforcerUtil.CheckAppRbacForAppOrJob(token, object, casbin.ActionUpdate)
+	if !ok {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
 		return
 	}
@@ -372,7 +376,8 @@ func (handler AppRestHandlerImpl) UpdateAppNote(w http.ResponseWriter, r *http.R
 
 	// check for existing project/app permission
 	object := handler.enforcerUtil.GetAppRBACNameByAppId(bean.Identifier)
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceApplications, casbin.ActionUpdate, object); !ok {
+	ok := handler.enforcerUtil.CheckAppRbacForAppOrJob(token, object, casbin.ActionUpdate)
+	if !ok {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
 		return
 	}