Merge branch 'main' into bug-linked-ci

Author: adi6859

.gitbook.yaml

@@ -70,4 +70,10 @@ redirects:
     user-guide/use-cases/connect-django-with-mysql-database: resources/use-cases/connect-django-with-mysql-database
     user-guide/telemetry: resources/telemetry
     getting-started/global-configurations/container-registries: user-guide/global-configurations/container-registries.md
-    getting-started/global-configurations/sso-login: user-guide/global-configurations/sso-login.md
+    getting-started/global-configurations/sso-login: user-guide/global-configurations/sso-login.md
+    getting-started/global-configurations/docker-registries: user-guide/global-configurations/container-registries.md
+    global-configurations/sso-login: user-guide/global-configurations/sso-login.md
+    user-guide/use-cases/untitled-3: user-guide/use-cases/connect-django-with-mysql-database.md
+    global-configurations/api-token: user-guide/global-configurations/authorization/api-tokens.md
+    user-guide/creating-application/workflow/ci-pipeline2: user-guide/creating-application/workflow/ci-pipeline.md
+

api/argoApplication/ArgoApplicationRestHandler.go

@@ -1,8 +1,10 @@
 package argoApplication
 
 import (
+	"errors"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	"github.com/devtron-labs/devtron/pkg/argoApplication"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
 	"go.uber.org/zap"
 	"net/http"
 	"strconv"
@@ -17,18 +19,26 @@ type ArgoApplicationRestHandler interface {
 type ArgoApplicationRestHandlerImpl struct {
 	argoApplicationService argoApplication.ArgoApplicationService
 	logger                 *zap.SugaredLogger
+	enforcer               casbin.Enforcer
 }
 
 func NewArgoApplicationRestHandlerImpl(argoApplicationService argoApplication.ArgoApplicationService,
-	logger *zap.SugaredLogger) *ArgoApplicationRestHandlerImpl {
+	logger *zap.SugaredLogger, enforcer casbin.Enforcer) *ArgoApplicationRestHandlerImpl {
 	return &ArgoApplicationRestHandlerImpl{
 		argoApplicationService: argoApplicationService,
 		logger:                 logger,
+		enforcer:               enforcer,
 	}
 
 }
 
 func (handler *ArgoApplicationRestHandlerImpl) ListApplications(w http.ResponseWriter, r *http.Request) {
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
 	v := r.URL.Query()
 	clusterIdString := v.Get("clusterIds")
 	var clusterIds []int
@@ -54,6 +64,12 @@ func (handler *ArgoApplicationRestHandlerImpl) ListApplications(w http.ResponseW
 }
 
 func (handler *ArgoApplicationRestHandlerImpl) GetApplicationDetail(w http.ResponseWriter, r *http.Request) {
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
 	var err error
 	v := r.URL.Query()
 	resourceName := v.Get("name")

api/auth/user/UserRestHandler.go

@@ -45,11 +45,15 @@ type UserRestHandler interface {
 	UpdateUser(w http.ResponseWriter, r *http.Request)
 	GetById(w http.ResponseWriter, r *http.Request)
 	GetAll(w http.ResponseWriter, r *http.Request)
+	GetAllV2(w http.ResponseWriter, r *http.Request)
 	DeleteUser(w http.ResponseWriter, r *http.Request)
+	GetAllDetailedUsers(w http.ResponseWriter, r *http.Request)
 	FetchRoleGroupById(w http.ResponseWriter, r *http.Request)
 	CreateRoleGroup(w http.ResponseWriter, r *http.Request)
 	UpdateRoleGroup(w http.ResponseWriter, r *http.Request)
 	FetchRoleGroups(w http.ResponseWriter, r *http.Request)
+	FetchRoleGroupsV2(w http.ResponseWriter, r *http.Request)
+	FetchDetailedRoleGroups(w http.ResponseWriter, r *http.Request)
 	FetchRoleGroupsByName(w http.ResponseWriter, r *http.Request)
 	DeleteRoleGroup(w http.ResponseWriter, r *http.Request)
 	CheckUserRoles(w http.ResponseWriter, r *http.Request)
@@ -301,7 +305,7 @@ func (handler UserRestHandlerImpl) GetById(w http.ResponseWriter, r *http.Reques
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
 
-func (handler UserRestHandlerImpl) GetAll(w http.ResponseWriter, r *http.Request) {
+func (handler UserRestHandlerImpl) GetAllV2(w http.ResponseWriter, r *http.Request) {
 	var decoder = schema.NewDecoder()
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
@@ -372,7 +376,95 @@ func (handler UserRestHandlerImpl) GetAll(w http.ResponseWriter, r *http.Request
 
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
+func (handler UserRestHandlerImpl) GetAll(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
 
+	// RBAC enforcer applying
+	token := r.Header.Get("token")
+	//checking superAdmin access
+	isAuthorised := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
+	if !isAuthorised {
+		user, err := handler.userService.GetById(userId)
+		if err != nil {
+			handler.logger.Errorw("error in getting user by id", "err", err)
+			common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+			return
+		}
+		var roleFilters []bean.RoleFilter
+		if len(user.Groups) > 0 {
+			groupRoleFilters, err := handler.userService.GetRoleFiltersByGroupNames(user.Groups)
+			if err != nil {
+				handler.logger.Errorw("Error in getting role filters by group names", "err", err, "groupNames", user.Groups)
+				common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+				return
+			}
+			if len(groupRoleFilters) > 0 {
+				roleFilters = append(roleFilters, groupRoleFilters...)
+			}
+		}
+		if user.RoleFilters != nil && len(user.RoleFilters) > 0 {
+			roleFilters = append(roleFilters, user.RoleFilters...)
+		}
+		if len(roleFilters) > 0 {
+			for _, filter := range roleFilters {
+				if len(filter.Team) > 0 {
+					if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionGet, filter.Team); ok {
+						isAuthorised = true
+						break
+					}
+				}
+				if filter.Entity == bean.CLUSTER_ENTITIY {
+					if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); ok {
+						isAuthorised = true
+						break
+					}
+				}
+			}
+		}
+	}
+	if !isAuthorised {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	res, err := handler.userService.GetAll()
+	if err != nil {
+		handler.logger.Errorw("service err, GetAll", "err", err)
+		common.WriteJsonResp(w, err, "Failed to Get", http.StatusInternalServerError)
+		return
+	}
+
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
+func (handler UserRestHandlerImpl) GetAllDetailedUsers(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+
+	token := r.Header.Get("token")
+	isActionUserSuperAdmin := false
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isActionUserSuperAdmin = true
+	}
+	if !isActionUserSuperAdmin {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	res, err := handler.userService.GetAllDetailedUsers()
+	if err != nil {
+		handler.logger.Errorw("service err, GetAllDetailedUsers", "err", err)
+		common.WriteJsonResp(w, err, "Failed to Get", http.StatusInternalServerError)
+		return
+	}
+
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
 func (handler UserRestHandlerImpl) DeleteUser(w http.ResponseWriter, r *http.Request) {
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
@@ -621,7 +713,7 @@ func (handler UserRestHandlerImpl) UpdateRoleGroup(w http.ResponseWriter, r *htt
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
 
-func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *http.Request) {
+func (handler UserRestHandlerImpl) FetchRoleGroupsV2(w http.ResponseWriter, r *http.Request) {
 	var decoder = schema.NewDecoder()
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
@@ -693,6 +785,94 @@ func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *htt
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
 
+func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	// RBAC enforcer applying
+	token := r.Header.Get("token")
+	//checking superAdmin access
+	isAuthorised := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
+	if !isAuthorised {
+		user, err := handler.userService.GetById(userId)
+		if err != nil {
+			handler.logger.Errorw("error in getting user by id", "err", err)
+			common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+			return
+		}
+		var roleFilters []bean.RoleFilter
+		if len(user.Groups) > 0 {
+			groupRoleFilters, err := handler.userService.GetRoleFiltersByGroupNames(user.Groups)
+			if err != nil {
+				handler.logger.Errorw("Error in getting role filters by group names", "err", err, "groupNames", user.Groups)
+				common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+				return
+			}
+			if len(groupRoleFilters) > 0 {
+				roleFilters = append(roleFilters, groupRoleFilters...)
+			}
+		}
+		if user.RoleFilters != nil && len(user.RoleFilters) > 0 {
+			roleFilters = append(roleFilters, user.RoleFilters...)
+		}
+		if len(roleFilters) > 0 {
+			for _, filter := range roleFilters {
+				if len(filter.Team) > 0 {
+					if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionGet, filter.Team); ok {
+						isAuthorised = true
+						break
+					}
+				}
+				if filter.Entity == bean.CLUSTER_ENTITIY {
+					if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); isValidAuth {
+						isAuthorised = true
+						break
+					}
+				}
+
+			}
+		}
+	}
+	if !isAuthorised {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	res, err := handler.roleGroupService.FetchRoleGroups()
+	if err != nil {
+		handler.logger.Errorw("service err, FetchRoleGroups", "err", err)
+		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
+func (handler UserRestHandlerImpl) FetchDetailedRoleGroups(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	token := r.Header.Get("token")
+	isActionUserSuperAdmin := false
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isActionUserSuperAdmin = true
+	}
+	if !isActionUserSuperAdmin {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+
+	res, err := handler.roleGroupService.FetchDetailedRoleGroups()
+	if err != nil {
+		handler.logger.Errorw("service err, FetchRoleGroups", "err", err)
+		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
 func (handler UserRestHandlerImpl) FetchRoleGroupsByName(w http.ResponseWriter, r *http.Request) {
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {

api/auth/user/UserRouter.go

@@ -38,6 +38,8 @@ func NewUserRouterImpl(userRestHandler UserRestHandler) *UserRouterImpl {
 
 func (router UserRouterImpl) InitUserRouter(userAuthRouter *mux.Router) {
 	//User management
+	userAuthRouter.Path("/v2").
+		HandlerFunc(router.userRestHandler.GetAllV2).Methods("GET")
 	userAuthRouter.Path("/{id}").
 		HandlerFunc(router.userRestHandler.GetById).Methods("GET")
 	userAuthRouter.Path("").
@@ -48,7 +50,11 @@ func (router UserRouterImpl) InitUserRouter(userAuthRouter *mux.Router) {
 		HandlerFunc(router.userRestHandler.UpdateUser).Methods("PUT")
 	userAuthRouter.Path("/{id}").
 		HandlerFunc(router.userRestHandler.DeleteUser).Methods("DELETE")
+	userAuthRouter.Path("/detail/get").
+		HandlerFunc(router.userRestHandler.GetAllDetailedUsers).Methods("GET")
 
+	userAuthRouter.Path("/role/group/v2").
+		HandlerFunc(router.userRestHandler.FetchRoleGroupsV2).Methods("GET")
 	userAuthRouter.Path("/role/group/{id}").
 		HandlerFunc(router.userRestHandler.FetchRoleGroupById).Methods("GET")
 	userAuthRouter.Path("/role/group").
@@ -57,6 +63,8 @@ func (router UserRouterImpl) InitUserRouter(userAuthRouter *mux.Router) {
 		HandlerFunc(router.userRestHandler.UpdateRoleGroup).Methods("PUT")
 	userAuthRouter.Path("/role/group").
 		HandlerFunc(router.userRestHandler.FetchRoleGroups).Methods("GET")
+	userAuthRouter.Path("/role/group/detailed/get").
+		HandlerFunc(router.userRestHandler.FetchDetailedRoleGroups).Methods("GET")
 	userAuthRouter.Path("/role/group/search").
 		Queries("name", "{name}").
 		HandlerFunc(router.userRestHandler.FetchRoleGroupsByName).Methods("GET")

api/bean/UserRequest.go

@@ -31,7 +31,7 @@ type UserRole struct {
 
 type UserInfo struct {
 	Id            int32        `json:"id" validate:"number,not-system-admin-userid"`
-	EmailId       string       `json:"emailId" validate:"required,not-system-admin-user"`
+	EmailId       string       `json:"email_id" validate:"required,not-system-admin-user"` // TODO : have to migrate json key to emailId and also handle backward compatibility
 	Roles         []string     `json:"roles,omitempty"`
 	AccessToken   string       `json:"access_token,omitempty"`
 	RoleFilters   []RoleFilter `json:"roleFilters"`

api/restHandler/app/pipeline/status/PipelineStatusTimelineRestHandler.go

@@ -33,13 +33,18 @@ type PipelineStatusTimelineRestHandlerImpl struct {
 }
 
 func NewPipelineStatusTimelineRestHandlerImpl(logger *zap.SugaredLogger,
+	userService user.UserService,
 	pipelineStatusTimelineService status.PipelineStatusTimelineService, enforcerUtil rbac.EnforcerUtil,
-	enforcer casbin.Enforcer) *PipelineStatusTimelineRestHandlerImpl {
+	enforcer casbin.Enforcer, cdApplicationStatusUpdateHandler cron.CdApplicationStatusUpdateHandler,
+	pipeline pipeline.PipelineBuilder) *PipelineStatusTimelineRestHandlerImpl {
 	return &PipelineStatusTimelineRestHandlerImpl{
-		logger:                        logger,
-		pipelineStatusTimelineService: pipelineStatusTimelineService,
-		enforcerUtil:                  enforcerUtil,
-		enforcer:                      enforcer,
+		logger:                           logger,
+		userService:                      userService,
+		pipelineStatusTimelineService:    pipelineStatusTimelineService,
+		enforcerUtil:                     enforcerUtil,
+		enforcer:                         enforcer,
+		cdApplicationStatusUpdateHandler: cdApplicationStatusUpdateHandler,
+		pipeline:                         pipeline,
 	}
 }
 

docs/FAQs/devtron-troubleshoot.md

@@ -521,4 +521,23 @@ kubectl delete pod -n devtroncd -l app=devtron
 
 This command deletes the Devtron pod in the `devtroncd` namespace with the label `app=devtron`.
 
-Following these steps should allow you to refresh the ArgoCD certificates when they have expired.
+Following these steps should allow you to refresh the ArgoCD certificates when they have expired.
+
+
+### 26. Not able to see commits, throwing exit status 128
+1. **Save the Git Repository Again**
+Wait for few minutes and check the build pipeline if commits are visible or not
+
+2. **Check git sensor pod logs**
+
+```yaml
+kubectl logs -n devtroncd -l app=git-sensor
+```
+If you still get the same issue, try to bounce the pod and save the git repository again
+```yaml
+kubectl delete po -n devtroncd -l app=git-sensor
+```
+
+3. **Try to clone the git repository with the token you have added for Git Account**
+
+In case the cloning fails, you can generate the token, update the Git account in Global Configurations, and try to save the git repository again.

docs/README.md

@@ -81,7 +81,3 @@ Get updates on Devtron's development and chat with the project maintainers, cont
 ## Vulnerability Reporting
 
 We, at Devtron, take security and our users' trust very seriously. If you believe you have found a security issue in Devtron, please responsibly disclose it by contacting us at **security@devtron.ai**.
- 
-## License
- 
-Devtron is available under the [Apache License, Version 2.0](https://github.com/devtron-labs/devtron/blob/main/LICENSE).

docs/SUMMARY.md

@@ -44,6 +44,7 @@
   * [Scoped Variables](user-guide/global-configurations/scoped-variables.md)
   * [Tags Policy](user-guide/global-configurations/tags-policy.md)
   * [Filter Condition](user-guide/global-configurations/filter-condition.md)
+  * [Build Infra](user-guide/global-configurations/build-infra.md)
 * [Devtron Upgrade](setup/upgrade/README.md)
   * [Update Devtron from Devtron UI](setup/upgrade/upgrade-devtron-ui.md)
   * [0.5.x-0.6.x](setup/upgrade/devtron-upgrade-0.5.x-0.6.x.md)