chore: clean up managedFields from k8s objects from UI display (numaproj#3098)

Signed-off-by: Derek Wang <whynowy@gmail.com>

Author: whynowy

.github/workflows/ci.yaml

@@ -188,6 +188,7 @@ jobs:
     timeout-minutes: 20
     strategy:
       fail-fast: false
+      max-parallel: 13
       matrix:
         driver: [jetstream]
         case:

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.11.1
+	github.com/tidwall/gjson v1.18.0
 	github.com/xdg-go/scram v1.1.2
 	go.opentelemetry.io/contrib/bridges/prometheus v0.63.0
 	go.opentelemetry.io/otel v1.38.0
@@ -173,7 +174,6 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tidwall/gjson v1.14.4 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/toqueteos/webbrowser v1.2.0 // indirect

go.sum

@@ -579,8 +579,9 @@ github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
-github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
 github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=

server/routes/auth_middleware.go

@@ -0,0 +1,92 @@
+/*
+Copyright 2022 The Numaproj Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package routes
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/numaproj/numaflow/pkg/shared/logging"
+	v1 "github.com/numaproj/numaflow/server/apis/v1"
+	"github.com/numaproj/numaflow/server/authn"
+	"github.com/numaproj/numaflow/server/authz"
+	"github.com/numaproj/numaflow/server/common"
+)
+
+// authMiddleware is the middleware for AuthN/AuthZ.
+// it ensures the user is authenticated and authorized
+// to execute the requested action before sending the request to the api handler.
+func authMiddleware(ctx context.Context, authorizer authz.Authorizer, dexAuthenticator authn.Authenticator, localUsersAuthenticator authn.Authenticator, authRouteMap authz.RouteMap) gin.HandlerFunc {
+
+	return func(c *gin.Context) {
+
+		log := logging.FromContext(ctx)
+		var userInfo *authn.UserInfo
+
+		loginType, err := c.Cookie(common.LoginCookieName)
+		if err != nil {
+			errMsg := fmt.Sprintf("Failed to get login type: %v", err)
+			c.JSON(http.StatusUnauthorized, v1.NewNumaflowAPIResponse(&errMsg, nil))
+			c.Abort()
+			return
+		}
+
+		// Authenticate the user based on the login type.
+		switch loginType {
+		case "dex":
+			userInfo, err = dexAuthenticator.Authenticate(c)
+		case "local":
+			userInfo, err = localUsersAuthenticator.Authenticate(c)
+		default:
+			errMsg := fmt.Sprintf("unidentified login type received: %v", loginType)
+			c.JSON(http.StatusUnauthorized, v1.NewNumaflowAPIResponse(&errMsg, nil))
+			c.Abort()
+			return
+		}
+		if err != nil {
+			errMsg := fmt.Sprintf("Failed to authenticate user: %v", err)
+			c.JSON(http.StatusUnauthorized, v1.NewNumaflowAPIResponse(&errMsg, nil))
+			c.Abort()
+			return
+		}
+		// Check if the route requires authorization.
+		if authRouteMap.GetRouteFromContext(c) != nil && authRouteMap.GetRouteFromContext(c).RequiresAuthZ {
+			// Check if the user is authorized to execute the requested action.
+			isAuthorized := authorizer.Authorize(c, userInfo)
+			if isAuthorized {
+				// If the user is authorized, continue the request.
+				c.Next()
+			} else {
+				// If the user is not authorized, return an error.
+				errMsg := "user is not authorized to execute the requested action"
+				c.JSON(http.StatusForbidden, v1.NewNumaflowAPIResponse(&errMsg, nil))
+				c.Abort()
+			}
+		} else if authRouteMap.GetRouteFromContext(c) != nil && !authRouteMap.GetRouteFromContext(c).RequiresAuthZ {
+			// If the route does not require AuthZ, skip the AuthZ check.
+			c.Next()
+		} else {
+			// If the route is not present in the route map, return an error.
+			log.Errorw("route not present in routeMap", "route", authz.GetRouteMapKey(c))
+			errMsg := "Invalid route"
+			c.JSON(http.StatusForbidden, v1.NewNumaflowAPIResponse(&errMsg, nil))
+			c.Abort()
+		}
+	}
+}