feat: Resource viewer implementation for a cluster (#2811)

* API for getApiResources for a cluster

* update resource api

* resource delete API change

* native k8s support added for APIs

* gkv resource list api spec added

* added gkv resource list api

* resource list request dto modified

* added script

* namespaces api for cluster

* status added for resource list

* create resources API

* bug fix in get api-resources API

* events list api modified, for all gkv or by namespace

* bug fixes

* added cluster rbac for roleGroup

* createResources changed to applyResources

* updated cluster entity for create/update user apis

* api refactored

* extracted code for checking cluster entity rbac

* added casbin sql script for superadmin cluster entity policies

* updated spec

* applyResource change to createOrUpdate

* review changes and event list for all gkv fixed

* containers list added in resource list api

* auth for resource list api

* global kind event check added for event listing

* wip -fixes

* wip -fixes

* rbac for k8s event listing

* rbac changes for k8s resource list and event list

* sql file renamed and wire

* namespace bug fix

* added new api permission cluster list

* cluster extended wire fix, resource not found check

* fix

* added check for timestamp for resource list

* event and gvk api bug fix

* resourceIf with acceptHeader for getReeourceList API

* resource list api response modified

* refactor resource listing and added namespace

* refactoring

* review comment - itr1

* merged

* event listing changes revert and added updated api spec for cluster list and resource list

* RBAC apply handling added

* code cleanup

* bug fix

* reverted file change

* auth on namespace list

* removed unused struct

* resource browser RBAC handling

* code cleanup

* safe checks added

* not setting namespace in resource list API if gvk is global

* patch fix

* namespaced handling

* compile fix

* cluster and namespace list api handling for super admin

* review change

* resource listing for global kind event customize, and fix for namespace list

* refactoring

* aply resource bug fix

* nil pointer fix

* wire file

* down file change

* resource clubbing handling

* resource name fix for groups

* group roles checked for namespace and cluster list api

* added one more item star if has access to all namespaces

* refactoring

* manager auth RBAC handling

* multi resource validation handling

* all namespace data reverted

* RBAC in getApiResources API

* RBAC fix in ApplyResource for namespace

* bug fixes :
1) if cluster list is empty for non super admin user, then sending 403

* bug fixes :
1) sending 403 if empty api-resources

* fix: all group with particular kind handling

* Resource browser rbac (#2836)

* RBAC hierarchy check added

* hiererachy handlign for workload APIs

* gvk fix

* app group name fix

* switch case correction

Co-authored-by: Manish Agrawal <[email protected]>

* Revert "Resource browser rbac (#2836)" (#2838)

This reverts commit 094d3b8.

Co-authored-by: Manish Agrawal <[email protected]>
Co-authored-by: vikramdevtron <[email protected]>
Co-authored-by: kartik-579 <[email protected]>
Co-authored-by: Manish Agrawal <[email protected]>

Author: 4 people

api/apiToken/ApiTokenRestHandler.go

@@ -212,8 +212,8 @@ func (impl ApiTokenRestHandlerImpl) DeleteApiToken(w http.ResponseWriter, r *htt
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
 
-func (handler ApiTokenRestHandlerImpl) checkManagerAuth(token string, object string) bool {
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionUpdate, strings.ToLower(object)); !ok {
+func (handler ApiTokenRestHandlerImpl) checkManagerAuth(resource, token, object string) bool {
+	if ok := handler.enforcer.Enforce(token, resource, casbin.ActionUpdate, strings.ToLower(object)); !ok {
 		return false
 	}
 	return true

api/bean/UserRequest.go

@@ -60,6 +60,12 @@ type RoleFilter struct {
 	Environment string `json:"environment"`
 	Action      string `json:"action"`
 	AccessType  string `json:"accessType"`
+
+	Cluster   string `json:"cluster"`
+	Namespace string `json:"namespace"`
+	Group     string `json:"group"`
+	Kind      string `json:"kind"`
+	Resource  string `json:"resource"`
 }
 
 type Role struct {
@@ -76,6 +82,12 @@ type RoleData struct {
 	Environment string `json:"environment"`
 	Action      string `json:"action"`
 	AccessType  string `json:"accessType"`
+
+	Cluster   string `json:"cluster"`
+	Namespace string `json:"namespace"`
+	Group     string `json:"group"`
+	Kind      string `json:"kind"`
+	Resource  string `json:"resource"`
 }
 
 type SSOLoginDto struct {
@@ -95,11 +107,11 @@ const (
 type PolicyType int
 
 const (
-	POLICY_DIRECT PolicyType = 1
-	POLICY_GROUP  PolicyType = 1
+	POLICY_DIRECT        PolicyType = 1
+	POLICY_GROUP         PolicyType = 1
+	SUPERADMIN                      = "role:super-admin___"
+	APP_ACCESS_TYPE_HELM            = "helm-app"
+	USER_TYPE_API_TOKEN             = "apiToken"
+	CHART_GROUP_ENTITY              = "chart-group"
+	CLUSTER_ENTITIY                 = "cluster"
 )
-
-const SUPERADMIN = "role:super-admin___"
-const APP_ACCESS_TYPE_HELM = "helm-app"
-
-const USER_TYPE_API_TOKEN = "apiToken"

api/cluster/ClusterRestHandler.go

@@ -51,7 +51,9 @@ type ClusterRestHandler interface {
 
 	FindAllForAutoComplete(w http.ResponseWriter, r *http.Request)
 	DeleteCluster(w http.ResponseWriter, r *http.Request)
+	GetClusterNamespaces(w http.ResponseWriter, r *http.Request)
 	GetAllClusterNamespaces(w http.ResponseWriter, r *http.Request)
+	FindAllForClusterPermission(w http.ResponseWriter, r *http.Request)
 }
 
 type ClusterRestHandlerImpl struct {
@@ -376,3 +378,68 @@ func (impl ClusterRestHandlerImpl) GetAllClusterNamespaces(w http.ResponseWriter
 
 	common.WriteJsonResp(w, nil, clusterNamespaces, http.StatusOK)
 }
+
+func (impl ClusterRestHandlerImpl) GetClusterNamespaces(w http.ResponseWriter, r *http.Request) {
+	//token := r.Header.Get("token")
+	vars := mux.Vars(r)
+	clusterIdString := vars["clusterId"]
+
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		impl.logger.Errorw("user not authorized", "error", err, "userId", userId)
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	token := r.Header.Get("token")
+	isActionUserSuperAdmin := false
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isActionUserSuperAdmin = true
+	}
+	clusterId, err := strconv.Atoi(clusterIdString)
+	if err != nil {
+		impl.logger.Errorw("failed to extract clusterId from param", "error", err, "clusterId", clusterIdString)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	allClusterNamespaces, err := impl.clusterService.FindAllNamespacesByUserIdAndClusterId(userId, clusterId, isActionUserSuperAdmin)
+	if err != nil {
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, nil, allClusterNamespaces, http.StatusOK)
+}
+
+func (impl ClusterRestHandlerImpl) FindAllForClusterPermission(w http.ResponseWriter, r *http.Request) {
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		impl.logger.Errorw("user not authorized", "error", err, "userId", userId)
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	token := r.Header.Get("token")
+	isActionUserSuperAdmin := false
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isActionUserSuperAdmin = true
+	}
+	clusterList, err := impl.clusterService.FindAllForClusterByUserId(userId, isActionUserSuperAdmin)
+	if err != nil {
+		impl.logger.Errorw("error in deleting cluster", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	// RBAC enforcer applying
+	// Already applied at service layer
+	//RBAC enforcer Ends
+
+	if len(clusterList) == 0 {
+		// assumption is that if list is empty, then it can happen only in case of Unauthorized (but not sending Unauthorized for super-admin user)
+		if isActionUserSuperAdmin {
+			clusterList = make([]cluster.ClusterBean, 0)
+		} else {
+			common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+			return
+		}
+	}
+	common.WriteJsonResp(w, err, clusterList, http.StatusOK)
+}

api/cluster/ClusterRouter.go

@@ -57,11 +57,19 @@ func (impl ClusterRouterImpl) InitClusterRouter(clusterRouter *mux.Router) {
 		Methods("GET").
 		HandlerFunc(impl.clusterRestHandler.FindAllForAutoComplete)
 
+	clusterRouter.Path("/namespaces/{clusterId}").
+		Methods("GET").
+		HandlerFunc(impl.clusterRestHandler.GetClusterNamespaces)
+
 	clusterRouter.Path("/namespaces").
 		Methods("GET").
 		HandlerFunc(impl.clusterRestHandler.GetAllClusterNamespaces)
 
 	clusterRouter.Path("").
 		Methods("DELETE").
 		HandlerFunc(impl.clusterRestHandler.DeleteCluster)
+
+	clusterRouter.Path("/auth-list").
+		Methods("GET").
+		HandlerFunc(impl.clusterRestHandler.FindAllForClusterPermission)
 }

api/user/UserRestHandler.go

@@ -64,21 +64,24 @@ type userNamePassword struct {
 }
 
 type UserRestHandlerImpl struct {
-	userService      user.UserService
-	validator        *validator.Validate
-	logger           *zap.SugaredLogger
-	enforcer         casbin.Enforcer
-	roleGroupService user.RoleGroupService
+	userService       user.UserService
+	validator         *validator.Validate
+	logger            *zap.SugaredLogger
+	enforcer          casbin.Enforcer
+	roleGroupService  user.RoleGroupService
+	userCommonService user.UserCommonService
 }
 
 func NewUserRestHandlerImpl(userService user.UserService, validator *validator.Validate,
-	logger *zap.SugaredLogger, enforcer casbin.Enforcer, roleGroupService user.RoleGroupService) *UserRestHandlerImpl {
+	logger *zap.SugaredLogger, enforcer casbin.Enforcer, roleGroupService user.RoleGroupService,
+	userCommonService user.UserCommonService) *UserRestHandlerImpl {
 	userAuthHandler := &UserRestHandlerImpl{
-		userService:      userService,
-		validator:        validator,
-		logger:           logger,
-		enforcer:         enforcer,
-		roleGroupService: roleGroupService,
+		userService:       userService,
+		validator:         validator,
+		logger:            logger,
+		enforcer:          enforcer,
+		roleGroupService:  roleGroupService,
+		userCommonService: userCommonService,
 	}
 	return userAuthHandler
 }
@@ -118,6 +121,12 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req
 					return
 				}
 			}
+			if filter.Entity == bean.CLUSTER_ENTITIY {
+				if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !ok {
+					response.WriteResponse(http.StatusForbidden, "FORBIDDEN", w, errors.New("unauthorized"))
+					return
+				}
+			}
 		}
 	} else {
 		if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionCreate, "*"); !ok {
@@ -274,6 +283,11 @@ func (handler UserRestHandlerImpl) GetById(w http.ResponseWriter, r *http.Reques
 					authPass = false
 				}
 			}
+			if filter.Entity == bean.CLUSTER_ENTITIY {
+				if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !ok {
+					authPass = false
+				}
+			}
 			if authPass {
 				filteredRoleFilter = append(filteredRoleFilter, filter)
 			}
@@ -332,6 +346,12 @@ func (handler UserRestHandlerImpl) GetAll(w http.ResponseWriter, r *http.Request
 						break
 					}
 				}
+				if filter.Entity == bean.CLUSTER_ENTITIY {
+					if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); ok {
+						isAuthorised = true
+						break
+					}
+				}
 			}
 		}
 	}
@@ -414,6 +434,12 @@ func (handler UserRestHandlerImpl) DeleteUser(w http.ResponseWriter, r *http.Req
 					return
 				}
 			}
+			if filter.Entity == bean.CLUSTER_ENTITIY {
+				if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !ok {
+					common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+					return
+				}
+			}
 		}
 	} else {
 		if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionDelete, ""); !ok {
@@ -461,6 +487,11 @@ func (handler UserRestHandlerImpl) FetchRoleGroupById(w http.ResponseWriter, r *
 					authPass = false
 				}
 			}
+			if filter.Entity == bean.CLUSTER_ENTITIY {
+				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
+					authPass = false
+				}
+			}
 			if authPass {
 				filteredRoleFilter = append(filteredRoleFilter, filter)
 			}
@@ -507,6 +538,12 @@ func (handler UserRestHandlerImpl) CreateRoleGroup(w http.ResponseWriter, r *htt
 					return
 				}
 			}
+			if filter.Entity == bean.CLUSTER_ENTITIY && !isActionUserSuperAdmin {
+				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
+					common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+					return
+				}
+			}
 		}
 	} else {
 		if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionCreate, "*"); !ok {
@@ -616,6 +653,13 @@ func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *htt
 						break
 					}
 				}
+				if filter.Entity == bean.CLUSTER_ENTITIY {
+					if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); isValidAuth {
+						isAuthorised = true
+						break
+					}
+				}
+
 			}
 		}
 	}
@@ -714,6 +758,12 @@ func (handler UserRestHandlerImpl) DeleteRoleGroup(w http.ResponseWriter, r *htt
 					return
 				}
 			}
+			if filter.Entity == bean.CLUSTER_ENTITIY {
+				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
+					common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+					return
+				}
+			}
 		}
 	}
 	//RBAC enforcer Ends
@@ -881,8 +931,8 @@ func (handler UserRestHandlerImpl) InvalidateRoleCache(w http.ResponseWriter, r
 
 }
 
-func (handler UserRestHandlerImpl) CheckManagerAuth(token string, object string) bool {
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionUpdate, strings.ToLower(object)); !ok {
+func (handler UserRestHandlerImpl) CheckManagerAuth(resource, token string, object string) bool {
+	if ok := handler.enforcer.Enforce(token, resource, casbin.ActionUpdate, strings.ToLower(object)); !ok {
 		return false
 	}
 	return true