From f3696ec9f79a4e0b1cb8bd562084ddd147aca39c Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Tue, 28 May 2024 11:44:56 +0530 Subject: [PATCH 1/8] introduced env variable for restricting terminal access --- .../application/k8sApplicationRestHandler.go | 38 +++++++++++++++++++ pkg/k8s/application/bean/bean.go | 4 ++ 2 files changed, 42 insertions(+) diff --git a/api/k8s/application/k8sApplicationRestHandler.go b/api/k8s/application/k8sApplicationRestHandler.go index 019c372b9d..be3a047f5f 100644 --- a/api/k8s/application/k8sApplicationRestHandler.go +++ b/api/k8s/application/k8sApplicationRestHandler.go @@ -7,6 +7,7 @@ import ( "encoding/json" "errors" "fmt" + "github.com/caarlos0/env/v6" "github.com/devtron-labs/common-lib/utils" util3 "github.com/devtron-labs/common-lib/utils/k8s" k8sCommonBean "github.com/devtron-labs/common-lib/utils/k8s/commonBean" @@ -815,6 +816,19 @@ func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.Response return } request.ExternalArgoApplicationName = vars.Get("externalArgoApplicationName") + + envVars := &bean2.TerminalEnvVariables{} + err = env.Parse(envVars) + if err != nil { + common.WriteJsonResp(w, err, nil, http.StatusBadRequest) + return + } + // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal + if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { + common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden) + return + } + if resourceRequestBean.AppIdentifier != nil { // RBAC enforcer applying For Helm App rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(resourceRequestBean.AppIdentifier.ClusterId, resourceRequestBean.AppIdentifier.Namespace, resourceRequestBean.AppIdentifier.ReleaseName) @@ -992,6 +1006,7 @@ func (handler *K8sApplicationRestHandlerImpl) verifyRbacForCluster(token string, } func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.ResponseWriter, r *http.Request) { + token := r.Header.Get("token") userId, err := handler.userService.GetLoggedInUser(r) if userId == 0 || err != nil { common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized) @@ -1013,6 +1028,17 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re common.WriteJsonResp(w, err, nil, http.StatusBadRequest) return } + envVars := &bean2.TerminalEnvVariables{} + err = env.Parse(envVars) + if err != nil { + common.WriteJsonResp(w, err, nil, http.StatusBadRequest) + return + } + // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can create ephemeral container + if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { + common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden) + return + } //rbac applied in below function resourceRequestBean := handler.handleEphemeralRBAC(request.PodName, request.Namespace, w, r) if resourceRequestBean == nil { @@ -1036,6 +1062,7 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re } func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.ResponseWriter, r *http.Request) { + token := r.Header.Get("token") userId, err := handler.userService.GetLoggedInUser(r) if userId == 0 || err != nil { common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized) @@ -1057,6 +1084,17 @@ func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.Re common.WriteJsonResp(w, err, nil, http.StatusBadRequest) return } + envVars := &bean2.TerminalEnvVariables{} + err = env.Parse(envVars) + if err != nil { + common.WriteJsonResp(w, err, nil, http.StatusBadRequest) + return + } + // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can delete ephemeral container + if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { + common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden) + return + } //rbac applied in below function resourceRequestBean := handler.handleEphemeralRBAC(request.PodName, request.Namespace, w, r) if resourceRequestBean == nil { diff --git a/pkg/k8s/application/bean/bean.go b/pkg/k8s/application/bean/bean.go index 6bf1d578e3..7ae39a787d 100644 --- a/pkg/k8s/application/bean/bean.go +++ b/pkg/k8s/application/bean/bean.go @@ -54,3 +54,7 @@ type RotatePodResourceResponse struct { k8s.ResourceIdentifier ErrorResponse string `json:"errorResponse"` } + +type TerminalEnvVariables struct { + RestrictTerminalAccessForNonSuperUser bool `env:"RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER" envDefault:"false"` +} From b93a882d4126e02d9255d8cc22a951d5b6df19fe Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Tue, 28 May 2024 11:59:34 +0530 Subject: [PATCH 2/8] refactor --- .../application/k8sApplicationRestHandler.go | 54 ++++++++++--------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/api/k8s/application/k8sApplicationRestHandler.go b/api/k8s/application/k8sApplicationRestHandler.go index be3a047f5f..50f0abb56d 100644 --- a/api/k8s/application/k8sApplicationRestHandler.go +++ b/api/k8s/application/k8sApplicationRestHandler.go @@ -800,6 +800,28 @@ func (handler *K8sApplicationRestHandlerImpl) requestValidationAndRBAC(w http.Re } } +func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperUsers(token string) error { + envVars := &bean2.TerminalEnvVariables{} + err := env.Parse(envVars) + if err != nil { + handler.logger.Errorw("error parsing terminal env variables", "err", err) + return util2.NewApiError(). + WithCode(strconv.Itoa(http.StatusBadRequest)). + WithHttpStatusCode(http.StatusBadRequest). + WithInternalMessage(err.Error()). + WithUserMessage("error parsing terminal env variables") + } + // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal/ephemeral containers + if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { + handler.logger.Errorw("unauthorized user, only super admins can access terminal", "err", err) + return util2.NewApiError(). + WithCode(strconv.Itoa(http.StatusForbidden)). + WithHttpStatusCode(http.StatusForbidden). + WithUserMessage("unauthorized") + } + return nil +} + func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.ResponseWriter, r *http.Request) { token := r.Header.Get("token") userId, err := handler.userService.GetLoggedInUser(r) @@ -816,19 +838,11 @@ func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.Response return } request.ExternalArgoApplicationName = vars.Get("externalArgoApplicationName") - - envVars := &bean2.TerminalEnvVariables{} - err = env.Parse(envVars) + err = handler.restrictTerminalAccessForNonSuperUsers(token) if err != nil { - common.WriteJsonResp(w, err, nil, http.StatusBadRequest) - return - } - // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal - if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { - common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden) + common.WriteJsonResp(w, err, nil, http.StatusForbidden) return } - if resourceRequestBean.AppIdentifier != nil { // RBAC enforcer applying For Helm App rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(resourceRequestBean.AppIdentifier.ClusterId, resourceRequestBean.AppIdentifier.Namespace, resourceRequestBean.AppIdentifier.ReleaseName) @@ -1028,15 +1042,9 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re common.WriteJsonResp(w, err, nil, http.StatusBadRequest) return } - envVars := &bean2.TerminalEnvVariables{} - err = env.Parse(envVars) + err = handler.restrictTerminalAccessForNonSuperUsers(token) if err != nil { - common.WriteJsonResp(w, err, nil, http.StatusBadRequest) - return - } - // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can create ephemeral container - if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { - common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden) + common.WriteJsonResp(w, err, nil, http.StatusForbidden) return } //rbac applied in below function @@ -1084,15 +1092,9 @@ func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.Re common.WriteJsonResp(w, err, nil, http.StatusBadRequest) return } - envVars := &bean2.TerminalEnvVariables{} - err = env.Parse(envVars) + err = handler.restrictTerminalAccessForNonSuperUsers(token) if err != nil { - common.WriteJsonResp(w, err, nil, http.StatusBadRequest) - return - } - // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can delete ephemeral container - if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { - common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden) + common.WriteJsonResp(w, err, nil, http.StatusForbidden) return } //rbac applied in below function From c5f45c37cddb2d62c92211f88949cbe6d79fda91 Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Tue, 28 May 2024 12:22:54 +0530 Subject: [PATCH 3/8] env_gen --- env_gen.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/env_gen.md b/env_gen.md index 5e77dca153..ffb475bdcd 100644 --- a/env_gen.md +++ b/env_gen.md @@ -118,6 +118,7 @@ | ENFORCER_MAX_BATCH_SIZE | 1 | | | EPHEMERAL_SERVER_VERSION_REGEX | v[1-9]\.\b(2[3-9]|[3-9][0-9])\b.* | | | EVENT_URL | http://localhost:3000/notify | | + | EXECUTE_WIRE_NIL_CHECKER | false | | | EXPOSE_CD_METRICS | false | | | EXPOSE_CI_METRICS | false | | | EXTERNAL_BLOB_STORAGE_CM_NAME | blob-storage-cm | | @@ -193,11 +194,12 @@ | PIPELINE_DEGRADED_TIME | 10 | | | PLUGIN_NAME | Pull images from container repository | | | PRE_CI_CACHE_PATH | /devtroncd-cache | | - | PROXY_SERVICE_CONFIG | | | + | PROXY_SERVICE_CONFIG | {} | | | REQ_CI_CPU | 0.5 | | | REQ_CI_MEM | 3G | | | RESOURCE_LIST_FOR_REPLICAS | Deployment,Rollout,StatefulSet,ReplicaSet | | | RESOURCE_LIST_FOR_REPLICAS_BATCH_SIZE | 5 | | + | RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER | false | | | REVISION_HISTORY_LIMIT_DEVTRON_APP | 1 | | | REVISION_HISTORY_LIMIT_EXTERNAL_HELM_APP | 0 | | | REVISION_HISTORY_LIMIT_HELM_APP | 1 | | From 11122a58e3f3f0c330e418a42f6bc90406896d53 Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Tue, 28 May 2024 12:51:16 +0530 Subject: [PATCH 4/8] refactor --- .../application/k8sApplicationRestHandler.go | 37 ++++++++----------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/api/k8s/application/k8sApplicationRestHandler.go b/api/k8s/application/k8sApplicationRestHandler.go index b5615e86b2..e7feafbad2 100644 --- a/api/k8s/application/k8sApplicationRestHandler.go +++ b/api/k8s/application/k8sApplicationRestHandler.go @@ -805,26 +805,19 @@ func (handler *K8sApplicationRestHandlerImpl) requestValidationAndRBAC(w http.Re } } -func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperUsers(token string) error { +func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperUsers(w http.ResponseWriter, token string) bool { envVars := &bean2.TerminalEnvVariables{} err := env.Parse(envVars) if err != nil { - handler.logger.Errorw("error parsing terminal env variables", "err", err) - return util2.NewApiError(). - WithCode(strconv.Itoa(http.StatusBadRequest)). - WithHttpStatusCode(http.StatusBadRequest). - WithInternalMessage(err.Error()). - WithUserMessage("error parsing terminal env variables") + handler.logger.Warnw("error parsing env variables", "err", err) + return false } // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal/ephemeral containers if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { - handler.logger.Errorw("unauthorized user, only super admins can access terminal", "err", err) - return util2.NewApiError(). - WithCode(strconv.Itoa(http.StatusForbidden)). - WithHttpStatusCode(http.StatusForbidden). - WithUserMessage("unauthorized") + common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized) + return true } - return nil + return false } func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.ResponseWriter, r *http.Request) { @@ -843,9 +836,9 @@ func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.Response return } request.ExternalArgoApplicationName = vars.Get("externalArgoApplicationName") - err = handler.restrictTerminalAccessForNonSuperUsers(token) - if err != nil { - common.WriteJsonResp(w, err, nil, http.StatusForbidden) + // check for super admin + restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token) + if restricted { return } if resourceRequestBean.AppIdentifier != nil { @@ -1047,9 +1040,9 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re common.WriteJsonResp(w, err, nil, http.StatusBadRequest) return } - err = handler.restrictTerminalAccessForNonSuperUsers(token) - if err != nil { - common.WriteJsonResp(w, err, nil, http.StatusForbidden) + // check for super admin + restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token) + if restricted { return } //rbac applied in below function @@ -1097,9 +1090,9 @@ func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.Re common.WriteJsonResp(w, err, nil, http.StatusBadRequest) return } - err = handler.restrictTerminalAccessForNonSuperUsers(token) - if err != nil { - common.WriteJsonResp(w, err, nil, http.StatusForbidden) + // check for super admin + restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token) + if restricted { return } //rbac applied in below function From 2816d5ffc84e22b96a01cd313ad28789e6725976 Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Wed, 29 May 2024 11:35:51 +0530 Subject: [PATCH 5/8] refactor --- .../application/k8sApplicationRestHandler.go | 19 ++++++++----------- pkg/k8s/application/bean/bean.go | 4 ---- util/GlobalConfig.go | 6 ++++++ 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/api/k8s/application/k8sApplicationRestHandler.go b/api/k8s/application/k8sApplicationRestHandler.go index e7feafbad2..ce59133530 100644 --- a/api/k8s/application/k8sApplicationRestHandler.go +++ b/api/k8s/application/k8sApplicationRestHandler.go @@ -7,7 +7,6 @@ import ( "encoding/json" "errors" "fmt" - "github.com/caarlos0/env/v6" "github.com/devtron-labs/common-lib/utils" util3 "github.com/devtron-labs/common-lib/utils/k8s" k8sCommonBean "github.com/devtron-labs/common-lib/utils/k8s/commonBean" @@ -74,9 +73,10 @@ type K8sApplicationRestHandlerImpl struct { helmAppService client.HelmAppService userService user.UserService k8sCommonService k8s.K8sCommonService + terminalEnvVariables *util.TerminalEnvVariables } -func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate) *K8sApplicationRestHandlerImpl { +func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate, terminalEnvVariables *util.TerminalEnvVariables) *K8sApplicationRestHandlerImpl { return &K8sApplicationRestHandlerImpl{ logger: logger, k8sApplicationService: k8sApplicationService, @@ -89,6 +89,7 @@ func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationS helmAppService: helmAppService, userService: userService, k8sCommonService: k8sCommonService, + terminalEnvVariables: terminalEnvVariables, } } @@ -806,16 +807,12 @@ func (handler *K8sApplicationRestHandlerImpl) requestValidationAndRBAC(w http.Re } func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperUsers(w http.ResponseWriter, token string) bool { - envVars := &bean2.TerminalEnvVariables{} - err := env.Parse(envVars) - if err != nil { - handler.logger.Warnw("error parsing env variables", "err", err) - return false - } // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal/ephemeral containers - if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin && envVars.RestrictTerminalAccessForNonSuperUser { - common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized) - return true + if handler.terminalEnvVariables.RestrictTerminalAccessForNonSuperUser { + if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin { + common.WriteJsonResp(w, errors.New("unauthorized User"), "Unauthorized User", http.StatusUnauthorized) + return true + } } return false } diff --git a/pkg/k8s/application/bean/bean.go b/pkg/k8s/application/bean/bean.go index 7ae39a787d..6bf1d578e3 100644 --- a/pkg/k8s/application/bean/bean.go +++ b/pkg/k8s/application/bean/bean.go @@ -54,7 +54,3 @@ type RotatePodResourceResponse struct { k8s.ResourceIdentifier ErrorResponse string `json:"errorResponse"` } - -type TerminalEnvVariables struct { - RestrictTerminalAccessForNonSuperUser bool `env:"RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER" envDefault:"false"` -} diff --git a/util/GlobalConfig.go b/util/GlobalConfig.go index d82f16e2db..7c40b484da 100644 --- a/util/GlobalConfig.go +++ b/util/GlobalConfig.go @@ -8,6 +8,7 @@ type EnvironmentVariables struct { GlobalEnvVariables *GlobalEnvVariables DevtronSecretConfig *DevtronSecretConfig DeploymentServiceTypeConfig *DeploymentServiceTypeConfig + TerminalEnvVariables *TerminalEnvVariables } type DeploymentServiceTypeConfig struct { @@ -27,11 +28,16 @@ type DevtronSecretConfig struct { DevtronDexSecretNamespace string `env:"DEVTRON_DEX_SECRET_NAMESPACE" envDefault:"devtroncd"` } +type TerminalEnvVariables struct { + RestrictTerminalAccessForNonSuperUser bool `env:"RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER" envDefault:"false"` +} + func GetEnvironmentVariables() (*EnvironmentVariables, error) { cfg := &EnvironmentVariables{ GlobalEnvVariables: &GlobalEnvVariables{}, DevtronSecretConfig: &DevtronSecretConfig{}, DeploymentServiceTypeConfig: &DeploymentServiceTypeConfig{}, + TerminalEnvVariables: &TerminalEnvVariables{}, } err := env.Parse(cfg) if err != nil { From a4d6b7c14272291d52c4ac607117bd204847f58c Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Wed, 29 May 2024 11:38:49 +0530 Subject: [PATCH 6/8] refactor --- api/k8s/application/k8sApplicationRestHandler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/k8s/application/k8sApplicationRestHandler.go b/api/k8s/application/k8sApplicationRestHandler.go index 8ef5217250..0561f91692 100644 --- a/api/k8s/application/k8sApplicationRestHandler.go +++ b/api/k8s/application/k8sApplicationRestHandler.go @@ -826,7 +826,7 @@ func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperU // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal/ephemeral containers if handler.terminalEnvVariables.RestrictTerminalAccessForNonSuperUser { if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin { - common.WriteJsonResp(w, errors.New("unauthorized User"), "Unauthorized User", http.StatusUnauthorized) + common.WriteJsonResp(w, errors.New("unauthorized User"), nil, http.StatusUnauthorized) return true } } From cae2ff5dc8dfccf5bab594a5616cbcb2278b8862 Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Wed, 29 May 2024 11:45:55 +0530 Subject: [PATCH 7/8] refactor --- api/k8s/application/k8sApplicationRestHandler.go | 4 ++-- wire_gen.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/k8s/application/k8sApplicationRestHandler.go b/api/k8s/application/k8sApplicationRestHandler.go index 0561f91692..fece1e3890 100644 --- a/api/k8s/application/k8sApplicationRestHandler.go +++ b/api/k8s/application/k8sApplicationRestHandler.go @@ -92,7 +92,7 @@ type K8sApplicationRestHandlerImpl struct { terminalEnvVariables *util.TerminalEnvVariables } -func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate, terminalEnvVariables *util.TerminalEnvVariables) *K8sApplicationRestHandlerImpl { +func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate, envVariables *util.EnvironmentVariables) *K8sApplicationRestHandlerImpl { return &K8sApplicationRestHandlerImpl{ logger: logger, k8sApplicationService: k8sApplicationService, @@ -105,7 +105,7 @@ func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationS helmAppService: helmAppService, userService: userService, k8sCommonService: k8sCommonService, - terminalEnvVariables: terminalEnvVariables, + terminalEnvVariables: envVariables.TerminalEnvVariables, } } diff --git a/wire_gen.go b/wire_gen.go index 6712526b9e..05259ecfe8 100644 --- a/wire_gen.go +++ b/wire_gen.go @@ -1,6 +1,6 @@ // Code generated by Wire. DO NOT EDIT. -//go:generate go run github.com/google/wire/cmd/wire +//go:generate go run -mod=mod github.com/google/wire/cmd/wire //go:build !wireinject // +build !wireinject @@ -817,7 +817,7 @@ func InitializeApp() (*App, error) { coreAppRouterImpl := router.NewCoreAppRouterImpl(coreAppRestHandlerImpl) helmAppRestHandlerImpl := client3.NewHelmAppRestHandlerImpl(sugaredLogger, helmAppServiceImpl, enforcerImpl, clusterServiceImplExtended, enforcerUtilHelmImpl, appStoreDeploymentServiceImpl, installedAppDBServiceImpl, userServiceImpl, attributesServiceImpl, serverEnvConfigServerEnvConfig) helmAppRouterImpl := client3.NewHelmAppRouterImpl(helmAppRestHandlerImpl) - k8sApplicationRestHandlerImpl := application3.NewK8sApplicationRestHandlerImpl(sugaredLogger, k8sApplicationServiceImpl, pumpImpl, terminalSessionHandlerImpl, enforcerImpl, enforcerUtilHelmImpl, enforcerUtilImpl, helmAppServiceImpl, userServiceImpl, k8sCommonServiceImpl, validate) + k8sApplicationRestHandlerImpl := application3.NewK8sApplicationRestHandlerImpl(sugaredLogger, k8sApplicationServiceImpl, pumpImpl, terminalSessionHandlerImpl, enforcerImpl, enforcerUtilHelmImpl, enforcerUtilImpl, helmAppServiceImpl, userServiceImpl, k8sCommonServiceImpl, validate, environmentVariables) k8sApplicationRouterImpl := application3.NewK8sApplicationRouterImpl(k8sApplicationRestHandlerImpl) pProfRestHandlerImpl := restHandler.NewPProfRestHandler(userServiceImpl, enforcerImpl) pProfRouterImpl := router.NewPProfRouter(sugaredLogger, pProfRestHandlerImpl) From d55daaa107fc4684d9d31f2ff8fa8e060adf8e4e Mon Sep 17 00:00:00 2001 From: ashish sonam Date: Wed, 29 May 2024 12:25:43 +0530 Subject: [PATCH 8/8] refactor, error msg updated --- api/k8s/application/k8sApplicationRestHandler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/k8s/application/k8sApplicationRestHandler.go b/api/k8s/application/k8sApplicationRestHandler.go index fece1e3890..2fb2d1c718 100644 --- a/api/k8s/application/k8sApplicationRestHandler.go +++ b/api/k8s/application/k8sApplicationRestHandler.go @@ -826,7 +826,7 @@ func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperU // if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal/ephemeral containers if handler.terminalEnvVariables.RestrictTerminalAccessForNonSuperUser { if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin { - common.WriteJsonResp(w, errors.New("unauthorized User"), nil, http.StatusUnauthorized) + common.WriteJsonResp(w, errors.New("unauthorized, only super-admins can access terminal"), nil, http.StatusForbidden) return true } }