feat: app filters enhancement (#6939)

* vendor files

* feat: auto assign permission group (#6923)

* feat: auto-assign role groups

* fix: sync claims with casbin policy

* feat: file re-structuring for ent oss sync

* feat: global auth apis

* sync file name with oss

* fix: global auth apis wire register for ea mode (#6929)

* fix: global auth apis wire register for ea mode

* fix: linting

* release: PR for v2.1.0 (#6928)

* Updated release-notes files

* Updated release notes

* Updated release notes

* Updated release notes

* Updated release notes

* Updated release notes

* Updated release notes

* Updated release notes

* Updated release notes

* Updated devtron to 59238e8-434-38692 tag in values file

* Updated kubelink to 6b408df4-564-38694 tag in values file

* Updated dashboard to d87d9a07-690-38693 tag in values file

* Updated release notes

* Updated release notes

* Updated release notes

* Updated release notes

* Updated kubewatch to fbde4d5e-419-38744 tag in values file

* Updated hyperion to 37b07f1-280-38743 tag in values file

* Updated devtron to 37b07f1-434-38746 tag in values file

* Updated kubelink to fbde4d5e-564-38749 tag in values file

* Updated git-sensor to fbde4d5e-200-38750 tag in values file

* Updated lens to fbde4d5e-333-38752 tag in values file

* Updated dashboard to d4a16ea7-690-38751 tag in values file

* Updated ci-runner to fbde4d5e-138-38754 tag in values file

* Updated image-scanner to fbde4d5e-141-38756 tag in values file

* Updated notifier to 580d409b-372-38755 tag in values file

* Updated chart-sync to fbde4d5e-836-38757 tag in values file

* Updated the version in scripts

* Update TimescaleDB password secret reference

* Bump version from 0.22.99 to 0.23.1

* Add CLUSTER_OVERVIEW_MAX_STALE_DATA_SECONDS variable

* Update releasenotes.md

* Update release-notes-v2.1.0.md

* Updated devtron to 634eb59-434-38762 tag in values file

* Updated hyperion to 634eb59-280-38763 tag in values file

---------

Co-authored-by: akshatsinha007 <156403098+akshatsinha007@users.noreply.github.com>

* add support of container name in cronjob

* fix: clusterId check for modifying triggers for cluster level notification (#6932)

* fix: auto assign permission group related fixes (#6934)

* fix: sync auto-assigned groups with casbin_rule user→group policies

* fix: support token for rbac check for clusters

* fix: support token for checkUser roles

* fix: support token based authentication for policy rest handlers

* fix: check for user isGroupClaims active in all rbac related functions

* fix: add email in case of devtron system managed

* fix: ea mode dependency updates

* feat: update app listing tag filter payload and operators

(cherry picked from commit a2866a1b5f54f7a5e6f94d73c6e3011ffabd789d)

* feat: refine tag negative operators behavior

(cherry picked from commit 5a5d201c1072b3e147287967ff99666d3fd35122)

* jsontag

(cherry picked from commit 81341fccad519cabd5b94c9b26e4f19b8a832c2c)

* migration renaming

(cherry picked from commit c2e625e2ea0aa1feb3d655dd8f28fbf28c96c43a)

* refactor app list tag-filter validation

(cherry picked from commit 60ef7488f49db9b56e2f55323066cc8ea8ba2c55)

* feat: add tag filter support in app listing

(cherry picked from commit 57e4fd6b65185e2f3f6add7d7010f4c1ebdcf1fc)

* chore: add logs for app listing query builder errors

(cherry picked from commit 4e682d12255bc748eb18325cbeda662771cdf60b)

* fix: correct app label filter migration sequence

* rename migration no

* release: PR for v2.1.1 (#6940)

* Updated release-notes files

* Updated release notes

* Updated release notes

* Updated devtron to 1188d0b-434-38818 tag in values file

* Updated hyperion to 1188d0b-280-38819 tag in values file

* Updated release notes

* Updated dashboard to 8a175cbd-690-38843 tag in values file

* Updated the version in scripts

* Update release notes for version 2.1.1

* Update release notes for version 2.1.1

Removed the Enhancements and Others sections from the release notes.

---------

Co-authored-by: akshatsinha007 <156403098+akshatsinha007@users.noreply.github.com>

* sync: migration seq (#6942)

* sync: migration files

* sync: migration files

* renamed migration no

---------

Co-authored-by: Vikram <73224103+vikramdevtron@users.noreply.github.com>
Co-authored-by: prakhar katiyar <prkhrkat@gmail.com>
Co-authored-by: prakhar katiyar <39842461+prkhrkat@users.noreply.github.com>
Co-authored-by: satya_prakash <155617493+SATYAsasini@users.noreply.github.com>
Co-authored-by: systemsdt <129372406+systemsdt@users.noreply.github.com>
Co-authored-by: akshatsinha007 <156403098+akshatsinha007@users.noreply.github.com>
Co-authored-by: Neha Sharma <nehasharma@Nehas-MacBook-Pro.local>
Co-authored-by: AJAY KUMAR <99399155+ajaydevtron@users.noreply.github.com>

Author: 8 people

CHANGELOG/release-notes-v2.1.0.md

@@ -0,0 +1,14 @@
+## v2.1.0
+
+## Enhancements
+- feat: auto assign permission group ( https://github.com/devtron-labs/devtron/issues/6911 )
+## Bugs
+- fix: prevent exposure of internal-only attributes in API responses and requests (#6917)
+- fix: append filtered cluster details to the cluster detail list in capacity handler (#6915)
+- fix: enhance cluster overview response with raw cluster capacity details and caching support (#6914)
+- fix: Handle cluster capacity fetch errors by returning detailed connection failure status (#6912)
+## Others
+- sync: main (#6920)
+- chore: Adds scarf pixel (#6918)
+- misc: add clientIP in audit log (#6908)
+- misc: Refactor vulnerability query implementation and cleanup unused code (#6907)

CHANGELOG/release-notes-v2.1.1.md

@@ -0,0 +1,5 @@
+## v2.1.1
+
+## Bugs
+- fix: auto assign permission group related fixes (#6934)
+- fix: clusterId check for modifying triggers for cluster level notific… (#6932)

Wire.go

@@ -33,6 +33,7 @@ import (
 	appStoreDiscover "github.com/devtron-labs/devtron/api/appStore/discover"
 	appStoreValues "github.com/devtron-labs/devtron/api/appStore/values"
 	"github.com/devtron-labs/devtron/api/argoApplication"
+	"github.com/devtron-labs/devtron/api/auth/authorisation/globalConfig"
 	"github.com/devtron-labs/devtron/api/auth/sso"
 	"github.com/devtron-labs/devtron/api/auth/user"
 	chartRepo "github.com/devtron-labs/devtron/api/chartRepo"
@@ -192,6 +193,7 @@ func InitializeApp() (*App, error) {
 		externalLink.ExternalLinkWireSet,
 		team.TeamsWireSet,
 		AuthWireSet,
+		globalConfig.GlobalConfigWireSet,
 		util4.GetRuntimeConfig,
 		util4.NewK8sUtil,
 		wire.Bind(new(util4.K8sService), new(*util4.K8sServiceImpl)),
@@ -993,7 +995,7 @@ func InitializeApp() (*App, error) {
 
 		router.NewOverviewRouterImpl,
 		wire.Bind(new(router.OverviewRouter), new(*router.OverviewRouterImpl)),
-		
+
 		restHandler.NewInfraOverviewRestHandlerImpl,
 		wire.Bind(new(restHandler.InfraOverviewRestHandler), new(*restHandler.InfraOverviewRestHandlerImpl)),
 

api/auth/authorisation/globalConfig/GlobalConfigAuthorisationConfigRouter.go

@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2024. Devtron Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package globalConfig
+
+import "github.com/gorilla/mux"
+
+type AuthorisationConfigRouter interface {
+	InitAuthorisationConfigRouter(router *mux.Router)
+}
+
+type AuthorisationConfigRouterImpl struct {
+	handler AuthorisationConfigRestHandler
+}
+
+func NewGlobalConfigAuthorisationRouterImpl(handler AuthorisationConfigRestHandler) *AuthorisationConfigRouterImpl {
+	return &AuthorisationConfigRouterImpl{handler: handler}
+}
+
+func (router *AuthorisationConfigRouterImpl) InitAuthorisationConfigRouter(authorisationConfigRouter *mux.Router) {
+	authorisationConfigRouter.Path("/global-config").
+		HandlerFunc(router.handler.CreateOrUpdateAuthorisationConfig).Methods("POST")
+	authorisationConfigRouter.Path("/global-config").
+		HandlerFunc(router.handler.GetAllActiveAuthorisationConfig).Methods("GET")
+}

api/auth/authorisation/globalConfig/GlobalConfigAuthorisationRestHandler.go

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2024. Devtron Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package globalConfig
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/devtron-labs/devtron/api/restHandler/common"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	auth "github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig/bean"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
+	"github.com/devtron-labs/devtron/util/commonEnforcementFunctionsUtil"
+	"go.uber.org/zap"
+	"gopkg.in/go-playground/validator.v9"
+)
+
+type AuthorisationConfigRestHandler interface {
+	CreateOrUpdateAuthorisationConfig(w http.ResponseWriter, r *http.Request)
+	GetAllActiveAuthorisationConfig(w http.ResponseWriter, r *http.Request)
+}
+
+type AuthorisationConfigRestHandlerImpl struct {
+	validator                        *validator.Validate
+	logger                           *zap.SugaredLogger
+	enforcer                         casbin.Enforcer
+	userService                      user.UserService
+	userCommonService                user.UserCommonService
+	globalAuthorisationConfigService auth.GlobalAuthorisationConfigService
+	rbacEnforcementUtil              commonEnforcementFunctionsUtil.CommonEnforcementUtil
+}
+
+func NewGlobalAuthorisationConfigRestHandlerImpl(validator *validator.Validate,
+	logger *zap.SugaredLogger, enforcer casbin.Enforcer,
+	userService user.UserService,
+	globalAuthorisationConfigService auth.GlobalAuthorisationConfigService,
+	userCommonService user.UserCommonService,
+	rbacEnforcementUtil commonEnforcementFunctionsUtil.CommonEnforcementUtil,
+) *AuthorisationConfigRestHandlerImpl {
+	return &AuthorisationConfigRestHandlerImpl{
+		validator:                        validator,
+		logger:                           logger,
+		enforcer:                         enforcer,
+		userService:                      userService,
+		globalAuthorisationConfigService: globalAuthorisationConfigService,
+		userCommonService:                userCommonService,
+		rbacEnforcementUtil:              rbacEnforcementUtil,
+	}
+}
+
+func (handler *AuthorisationConfigRestHandlerImpl) CreateOrUpdateAuthorisationConfig(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.HandleUnauthorized(w, r)
+		return
+	}
+	decoder := json.NewDecoder(r.Body)
+	var globalConfigPayload bean.GlobalAuthorisationConfig
+	err = decoder.Decode(&globalConfigPayload)
+	if err != nil {
+		handler.logger.Errorw("request err, CreateOrUpdateAuthorisationConfig", "err", err, "payload", globalConfigPayload)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	token := r.Header.Get("token")
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionCreate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	isValidationError, err := handler.validateGlobalAuthorisationConfigPayload(globalConfigPayload)
+	if err != nil {
+		handler.logger.Errorw("error, validateGlobalAuthorisationConfigPayload", "payload", globalConfigPayload, "err", err)
+		if isValidationError {
+			common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+			return
+		}
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	globalConfigPayload.UserId = userId
+	resp, err := handler.globalAuthorisationConfigService.CreateOrUpdateGlobalAuthConfig(globalConfigPayload, nil)
+	if err != nil {
+		handler.logger.Errorw("service error, CreateOrUpdateAuthorisationConfig", "err", err, "payload", globalConfigPayload)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, nil, resp, http.StatusOK)
+}
+
+func (handler *AuthorisationConfigRestHandlerImpl) GetAllActiveAuthorisationConfig(w http.ResponseWriter, r *http.Request) {
+	userId, err := handler.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.HandleUnauthorized(w, r)
+		return
+	}
+	token := r.Header.Get("token")
+	isAuthorised, err := handler.rbacEnforcementUtil.CheckRbacForMangerAndAboveAccess(token, userId)
+	if err != nil {
+		handler.logger.Errorw("error, GetAllActiveAuthorisationConfig", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	if !isAuthorised {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	resp, err := handler.globalAuthorisationConfigService.GetAllActiveAuthorisationConfig()
+	if err != nil {
+		handler.logger.Errorw("service error, GetAllActiveAuthorisationConfig", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, nil, resp, http.StatusOK)
+}
+
+func (handler *AuthorisationConfigRestHandlerImpl) validateGlobalAuthorisationConfigPayload(globalConfigPayload bean.GlobalAuthorisationConfig) (bool, error) {
+	err := handler.validator.Struct(globalConfigPayload)
+	if err != nil {
+		handler.logger.Errorw("err, validateGlobalAuthorisationConfigPayload", "payload", globalConfigPayload, "err", err)
+		return true, err
+	}
+	if len(globalConfigPayload.ConfigTypes) == 0 {
+		handler.logger.Errorw("err, validation failed on validateGlobalAuthorisationConfigPayload due to no configType provided", "payload", globalConfigPayload)
+		return true, errors.New("no configTypes provided in request")
+	}
+	return false, nil
+}

api/auth/authorisation/globalConfig/wire_globalConfig.go

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2024. Devtron Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package globalConfig
+
+import "github.com/google/wire"
+
+// GlobalConfigWireSet wires the REST handler and router for the authorisation global-config API.
+// NOTE: GlobalAuthorisationConfigRepository and GlobalAuthorisationConfigService are already
+// provided by UserWireSet (api/auth/user/wire_user.go) and must not be re-declared here.
+var GlobalConfigWireSet = wire.NewSet(
+	NewGlobalAuthorisationConfigRestHandlerImpl,
+	wire.Bind(new(AuthorisationConfigRestHandler), new(*AuthorisationConfigRestHandlerImpl)),
+	NewGlobalConfigAuthorisationRouterImpl,
+	wire.Bind(new(AuthorisationConfigRouter), new(*AuthorisationConfigRouterImpl)),
+)

api/auth/user/UserRestHandler.go

@@ -749,7 +749,8 @@ func (handler UserRestHandlerImpl) CheckUserRoles(w http.ResponseWriter, r *http
 		common.HandleUnauthorized(w, r)
 		return
 	}
-	roles, err := handler.userService.CheckUserRoles(userId, "")
+	token := r.Header.Get("token")
+	roles, err := handler.userService.CheckUserRoles(userId, token)
 	if err != nil {
 		handler.logger.Errorw("service err, CheckUserRoles", "err", err, "userId", userId)
 		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)

api/auth/user/wire_selfRegistration.go

@@ -25,6 +25,7 @@ import (
 //depends on sql,
 //TODO integrate user auth module
 
+// SelfRegistrationWireSet depends on GlobalAuthorisationConfigService which is provided by UserWireSet
 var SelfRegistrationWireSet = wire.NewSet(
 	repository.NewSelfRegistrationRolesRepositoryImpl,
 	wire.Bind(new(repository.SelfRegistrationRolesRepository), new(*repository.SelfRegistrationRolesRepositoryImpl)),

api/auth/user/wire_user.go

@@ -19,6 +19,8 @@ package user
 import (
 	"github.com/devtron-labs/devtron/pkg/auth/authentication"
 	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	globalConfig "github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig"
+	globalConfigRepo "github.com/devtron-labs/devtron/pkg/auth/authorisation/globalConfig/repository"
 	user2 "github.com/devtron-labs/devtron/pkg/auth/user"
 	repository2 "github.com/devtron-labs/devtron/pkg/auth/user/repository"
 	"github.com/google/wire"
@@ -77,4 +79,13 @@ var UserWireSet = wire.NewSet(
 	wire.Bind(new(RbacRoleRestHandler), new(*RbacRoleRestHandlerImpl)),
 	user2.NewRbacRoleServiceImpl,
 	wire.Bind(new(user2.RbacRoleService), new(*user2.RbacRoleServiceImpl)),
+
+	repository2.NewUserAutoAssignGroupMapRepositoryImpl,
+	wire.Bind(new(repository2.UserAutoAssignGroupMapRepository), new(*repository2.UserAutoAssignGroupMapRepositoryImpl)),
+
+	globalConfigRepo.NewGlobalAuthorisationConfigRepositoryImpl,
+	wire.Bind(new(globalConfigRepo.GlobalAuthorisationConfigRepository), new(*globalConfigRepo.GlobalAuthorisationConfigRepositoryImpl)),
+
+	globalConfig.NewGlobalAuthorisationConfigServiceImpl,
+	wire.Bind(new(globalConfig.GlobalAuthorisationConfigService), new(*globalConfig.GlobalAuthorisationConfigServiceImpl)),
 )

api/cluster/ClusterRestHandler.go

@@ -686,7 +686,7 @@ func (impl ClusterRestHandlerImpl) HandleRbacForClusterNamespace(userId int32, t
 	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
 		return clusterNamespaces, nil
 	}
-	roles, err := impl.clusterService.FetchRolesFromGroup(userId)
+	roles, err := impl.clusterService.FetchRolesFromGroup(userId, token)
 	if err != nil {
 		impl.logger.Errorw("error on fetching user roles for cluster list", "err", err)
 		return nil, err
@@ -740,7 +740,7 @@ func (impl ClusterRestHandlerImpl) GetClusterNamespaces(w http.ResponseWriter, r
 		return
 	}
 
-	allClusterNamespaces, err := impl.clusterService.FindAllNamespacesByUserIdAndClusterId(userId, clusterId, isActionUserSuperAdmin)
+	allClusterNamespaces, err := impl.clusterService.FindAllNamespacesByUserIdAndClusterId(userId, clusterId, isActionUserSuperAdmin, token)
 	if err != nil {
 		// Check if it's a cluster connectivity error and return appropriate status code
 		if err.Error() == cluster.ErrClusterNotReachable {
@@ -767,7 +767,7 @@ func (impl ClusterRestHandlerImpl) FindAllForClusterPermission(w http.ResponseWr
 	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
 		isActionUserSuperAdmin = true
 	}
-	clusterList, err := impl.clusterService.FindAllForClusterByUserId(userId, isActionUserSuperAdmin)
+	clusterList, err := impl.clusterService.FindAllForClusterByUserId(userId, isActionUserSuperAdmin, token)
 	if err != nil {
 		impl.logger.Errorw("error in deleting cluster", "err", err)
 		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)