feat: auto assign permission group (#6923)

* feat: auto-assign role groups

* fix: sync claims with casbin policy

* feat: file re-structuring for ent oss sync

* feat: global auth apis

* sync file name with oss

Author: SATYAsasini

Wire.go

@@ -33,6 +33,7 @@ import (
 	appStoreDiscover "github.com/devtron-labs/devtron/api/appStore/discover"
 	appStoreValues "github.com/devtron-labs/devtron/api/appStore/values"
 	"github.com/devtron-labs/devtron/api/argoApplication"
+	"github.com/devtron-labs/devtron/api/auth/authorisation/globalConfig"
 	"github.com/devtron-labs/devtron/api/auth/sso"
 	"github.com/devtron-labs/devtron/api/auth/user"
 	chartRepo "github.com/devtron-labs/devtron/api/chartRepo"
@@ -192,6 +193,7 @@ func InitializeApp() (*App, error) {
 		externalLink.ExternalLinkWireSet,
 		team.TeamsWireSet,
 		AuthWireSet,
+		globalConfig.GlobalConfigWireSet,
 		util4.GetRuntimeConfig,
 		util4.NewK8sUtil,
 		wire.Bind(new(util4.K8sService), new(*util4.K8sServiceImpl)),
@@ -993,7 +995,7 @@ func InitializeApp() (*App, error) {
 
 		router.NewOverviewRouterImpl,
 		wire.Bind(new(router.OverviewRouter), new(*router.OverviewRouterImpl)),
-		
+
 		restHandler.NewInfraOverviewRestHandlerImpl,
 		wire.Bind(new(restHandler.InfraOverviewRestHandler), new(*restHandler.InfraOverviewRestHandlerImpl)),
 

api/auth/authorisation/globalConfig/GlobalConfigAuthorisationConfigRouter.go

@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2024. Devtron Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package globalConfig
+
+import "github.com/gorilla/mux"
+
+type AuthorisationConfigRouter interface {
+	InitAuthorisationConfigRouter(router *mux.Router)
+}
+
+type AuthorisationConfigRouterImpl struct {
+	handler AuthorisationConfigRestHandler
+}
+
+func NewGlobalConfigAuthorisationRouterImpl(handler AuthorisationConfigRestHandler) *AuthorisationConfigRouterImpl {
+	return &AuthorisationConfigRouterImpl{handler: handler}
+}
+
+func (router *AuthorisationConfigRouterImpl) InitAuthorisationConfigRouter(authorisationConfigRouter *mux.Router) {
+	authorisationConfigRouter.Path("/global-config").
+		HandlerFunc(router.handler.CreateOrUpdateAuthorisationConfig).Methods("POST")
+	authorisationConfigRouter.Path("/global-config").
+		HandlerFunc(router.handler.GetAllActiveAuthorisationConfig).Methods("GET")
+}

api/auth/authorisation/globalConfig/GlobalConfigAuthorisationRestHandler.go

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2024. Devtron Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package globalConfig
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/devtron-labs/devtron/api/restHandler/common"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	auth "github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig/bean"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
+	"github.com/devtron-labs/devtron/util/commonEnforcementFunctionsUtil"
+	"go.uber.org/zap"
+	"gopkg.in/go-playground/validator.v9"
+)
+
+type AuthorisationConfigRestHandler interface {
+	CreateOrUpdateAuthorisationConfig(w http.ResponseWriter, r *http.Request)
+	GetAllActiveAuthorisationConfig(w http.ResponseWriter, r *http.Request)
+}
+
+type AuthorisationConfigRestHandlerImpl struct {
+	validator                        *validator.Validate
+	logger                           *zap.SugaredLogger
+	enforcer                         casbin.Enforcer
+	userService                      user.UserService
+	userCommonService                user.UserCommonService
+	globalAuthorisationConfigService auth.GlobalAuthorisationConfigService
+	rbacEnforcementUtil              commonEnforcementFunctionsUtil.CommonEnforcementUtil
+}
+
+func NewGlobalAuthorisationConfigRestHandlerImpl(validator *validator.Validate,
+	logger *zap.SugaredLogger, enforcer casbin.Enforcer,
+	userService user.UserService,
+	globalAuthorisationConfigService auth.GlobalAuthorisationConfigService,
+	userCommonService user.UserCommonService,
+	rbacEnforcementUtil commonEnforcementFunctionsUtil.CommonEnforcementUtil,
+) *AuthorisationConfigRestHandlerImpl {
+	return &AuthorisationConfigRestHandlerImpl{
+		validator:                        validator,
+		logger:                           logger,
+		enforcer:                         enforcer,
+		userService:                      userService,
+		globalAuthorisationConfigService: globalAuthorisationConfigService,
+		userCommonService:                userCommonService,
+		rbacEnforcementUtil:              rbacEnforcementUtil,
+	}
+}
+
+func (handler *AuthorisationConfigRestHandlerImpl) CreateOrUpdateAuthorisationConfig(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.HandleUnauthorized(w, r)
+		return
+	}
+	decoder := json.NewDecoder(r.Body)
+	var globalConfigPayload bean.GlobalAuthorisationConfig
+	err = decoder.Decode(&globalConfigPayload)
+	if err != nil {
+		handler.logger.Errorw("request err, CreateOrUpdateAuthorisationConfig", "err", err, "payload", globalConfigPayload)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	token := r.Header.Get("token")
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionCreate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	isValidationError, err := handler.validateGlobalAuthorisationConfigPayload(globalConfigPayload)
+	if err != nil {
+		handler.logger.Errorw("error, validateGlobalAuthorisationConfigPayload", "payload", globalConfigPayload, "err", err)
+		if isValidationError {
+			common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+			return
+		}
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	globalConfigPayload.UserId = userId
+	resp, err := handler.globalAuthorisationConfigService.CreateOrUpdateGlobalAuthConfig(globalConfigPayload, nil)
+	if err != nil {
+		handler.logger.Errorw("service error, CreateOrUpdateAuthorisationConfig", "err", err, "payload", globalConfigPayload)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, nil, resp, http.StatusOK)
+}
+
+func (handler *AuthorisationConfigRestHandlerImpl) GetAllActiveAuthorisationConfig(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.HandleUnauthorized(w, r)
+		return
+	}
+	token := r.Header.Get("token")
+	isAuthorised, err := handler.rbacEnforcementUtil.CheckRbacForMangerAndAboveAccess(token, userId)
+	if err != nil {
+		handler.logger.Errorw("error, GetAllActiveAuthorisationConfig", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	if !isAuthorised {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	resp, err := handler.globalAuthorisationConfigService.GetAllActiveAuthorisationConfig()
+	if err != nil {
+		handler.logger.Errorw("service error, GetAllActiveAuthorisationConfig", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, nil, resp, http.StatusOK)
+}
+
+func (handler *AuthorisationConfigRestHandlerImpl) validateGlobalAuthorisationConfigPayload(globalConfigPayload bean.GlobalAuthorisationConfig) (bool, error) {
+	err := handler.validator.Struct(globalConfigPayload)
+	if err != nil {
+		handler.logger.Errorw("err, validateGlobalAuthorisationConfigPayload", "payload", globalConfigPayload, "err", err)
+		return true, err
+	}
+	if len(globalConfigPayload.ConfigTypes) == 0 {
+		handler.logger.Errorw("err, validation failed on validateGlobalAuthorisationConfigPayload due to no configType provided", "payload", globalConfigPayload)
+		return true, errors.New("no configTypes provided in request")
+	}
+	return false, nil
+}

api/auth/authorisation/globalConfig/wire_globalConfig.go

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2024. Devtron Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package globalConfig
+
+import "github.com/google/wire"
+
+// GlobalConfigWireSet wires the REST handler and router for the authorisation global-config API.
+// NOTE: GlobalAuthorisationConfigRepository and GlobalAuthorisationConfigService are already
+// provided by UserWireSet (api/auth/user/wire_user.go) and must not be re-declared here.
+var GlobalConfigWireSet = wire.NewSet(
+	NewGlobalAuthorisationConfigRestHandlerImpl,
+	wire.Bind(new(AuthorisationConfigRestHandler), new(*AuthorisationConfigRestHandlerImpl)),
+	NewGlobalConfigAuthorisationRouterImpl,
+	wire.Bind(new(AuthorisationConfigRouter), new(*AuthorisationConfigRouterImpl)),
+)

api/auth/user/wire_selfRegistration.go

@@ -25,6 +25,7 @@ import (
 //depends on sql,
 //TODO integrate user auth module
 
+// SelfRegistrationWireSet depends on GlobalAuthorisationConfigService which is provided by UserWireSet
 var SelfRegistrationWireSet = wire.NewSet(
 	repository.NewSelfRegistrationRolesRepositoryImpl,
 	wire.Bind(new(repository.SelfRegistrationRolesRepository), new(*repository.SelfRegistrationRolesRepositoryImpl)),

api/auth/user/wire_user.go

@@ -19,6 +19,8 @@ package user
 import (
 	"github.com/devtron-labs/devtron/pkg/auth/authentication"
 	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	globalConfig "github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig"
+	globalConfigRepo "github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig/repository"
 	user2 "github.com/devtron-labs/devtron/pkg/auth/user"
 	repository2 "github.com/devtron-labs/devtron/pkg/auth/user/repository"
 	"github.com/google/wire"
@@ -77,4 +79,13 @@ var UserWireSet = wire.NewSet(
 	wire.Bind(new(RbacRoleRestHandler), new(*RbacRoleRestHandlerImpl)),
 	user2.NewRbacRoleServiceImpl,
 	wire.Bind(new(user2.RbacRoleService), new(*user2.RbacRoleServiceImpl)),
+
+	repository2.NewUserAutoAssignGroupMapRepositoryImpl,
+	wire.Bind(new(repository2.UserAutoAssignGroupMapRepository), new(*repository2.UserAutoAssignGroupMapRepositoryImpl)),
+
+	globalConfigRepo.NewGlobalAuthorisationConfigRepositoryImpl,
+	wire.Bind(new(globalConfigRepo.GlobalAuthorisationConfigRepository), new(*globalConfigRepo.GlobalAuthorisationConfigRepositoryImpl)),
+
+	globalConfig.NewGlobalAuthorisationConfigServiceImpl,
+	wire.Bind(new(globalConfig.GlobalAuthorisationConfigService), new(*globalConfig.GlobalAuthorisationConfigServiceImpl)),
 )

api/router/router.go

@@ -25,6 +25,7 @@ import (
 	"github.com/devtron-labs/devtron/api/appStore/chartGroup"
 	appStoreDeployment "github.com/devtron-labs/devtron/api/appStore/deployment"
 	"github.com/devtron-labs/devtron/api/argoApplication"
+	"github.com/devtron-labs/devtron/api/auth/authorisation/globalConfig"
 	"github.com/devtron-labs/devtron/api/auth/sso"
 	"github.com/devtron-labs/devtron/api/auth/user"
 	"github.com/devtron-labs/devtron/api/chartRepo"
@@ -126,6 +127,7 @@ type MuxRouter struct {
 	scanningResultRouter               resourceScan.ScanningResultRouter
 	userResourceRouter                 userResource.Router
 	overviewRouter                     OverviewRouter
+	globalAuthorisationConfigRouter    globalConfig.AuthorisationConfigRouter
 }
 
 func NewMuxRouter(logger *zap.SugaredLogger,
@@ -162,6 +164,7 @@ func NewMuxRouter(logger *zap.SugaredLogger,
 	scanningResultRouter resourceScan.ScanningResultRouter,
 	userResourceRouter userResource.Router,
 	overviewRouter OverviewRouter,
+	globalAuthorisationConfigRouter globalConfig.AuthorisationConfigRouter,
 ) *MuxRouter {
 	r := &MuxRouter{
 		Router:                             mux.NewRouter(),
@@ -230,6 +233,7 @@ func NewMuxRouter(logger *zap.SugaredLogger,
 		scanningResultRouter:               scanningResultRouter,
 		userResourceRouter:                 userResourceRouter,
 		overviewRouter:                     overviewRouter,
+		globalAuthorisationConfigRouter:    globalAuthorisationConfigRouter,
 	}
 	return r
 }
@@ -306,6 +310,9 @@ func (r MuxRouter) Init() {
 	userRouter := r.Router.PathPrefix("/orchestrator/user").Subrouter()
 	r.UserRouter.InitUserRouter(userRouter)
 
+	authorisationConfigRouter := r.Router.PathPrefix("/orchestrator/authorisation").Subrouter()
+	r.globalAuthorisationConfigRouter.InitAuthorisationConfigRouter(authorisationConfigRouter)
+
 	chartRefRouter := r.Router.PathPrefix("/orchestrator/chartref").Subrouter()
 	r.ChartRefRouter.initChartRefRouter(chartRefRouter)