feat: Secret viewable key enhancements in get resource api and draft api

api/k8s/application/k8sApplicationRestHandler.go

@@ -62,9 +62,9 @@ type K8sApplicationRestHandlerImpl struct {
 	validator              *validator.Validate
 	enforcerUtil           rbac.EnforcerUtil
 	enforcerUtilHelm       rbac.EnforcerUtilHelm
-	helmAppService   client.HelmAppService
-	userService      user.UserService
-	k8sCommonService k8s.K8sCommonService
+	helmAppService         client.HelmAppService
+	userService            user.UserService
+	k8sCommonService       k8s.K8sCommonService
 }
 
 func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate) *K8sApplicationRestHandlerImpl {
@@ -202,8 +202,8 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 		common.WriteJsonResp(w, err, resource, http.StatusInternalServerError)
 		return
 	}
-	if resource != nil {
-		err = resource.SetRunningEphemeralContainers()
+	if resource != nil && resource.ManifestResponse != nil {
+		err = resource.ManifestResponse.SetRunningEphemeralContainers()
 		if err != nil {
 			handler.logger.Errorw("error in setting running ephemeral containers and setting them in resource response", "err", err)
 			common.WriteJsonResp(w, err, resource, http.StatusInternalServerError)
@@ -215,10 +215,10 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 	// Obfuscate secret if user does not have edit access
 	if request.AppIdentifier == nil && request.DevtronAppIdentifier == nil && request.ClusterId > 0 {
 		// Verify update access for Resource Browser
-		canUpdate = handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionUpdate))
+		canUpdate = handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.ManifestResponse.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionUpdate))
 		if !canUpdate {
 			// Verify read access for Resource Browser
-			readAllowed := handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionGet))
+			readAllowed := handler.k8sApplicationService.ValidateClusterResourceBean(r.Context(), request.ClusterId, resource.ManifestResponse.Manifest, request.K8sRequest.ResourceIdentifier.GroupVersionKind, handler.getRbacCallbackForResource(token, casbin.ActionGet))
 			if !readAllowed {
 				common.WriteJsonResp(w, errors2.New("unauthorized"), nil, http.StatusForbidden)
 				return
@@ -227,14 +227,16 @@ func (handler *K8sApplicationRestHandlerImpl) GetResource(w http.ResponseWriter,
 	}
 	if !canUpdate && resource != nil {
 		// Hide secret for read only access
-		modifiedManifest, err := k8sObjectsUtil.HideValuesIfSecret(&resource.Manifest)
+		modifiedManifest, err := k8sObjectsUtil.HideValuesIfSecret(&resource.ManifestResponse.Manifest)
 		if err != nil {
 			handler.logger.Errorw("error in hiding secret values", "err", err)
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 			return
 		}
-		resource.Manifest = *modifiedManifest
+		resource.ManifestResponse.Manifest = *modifiedManifest
 	}
+	// setting flag for secret view access
+	resource.SecretViewAccess = canUpdate
 
 	common.WriteJsonResp(w, nil, resource, http.StatusOK)
 }

pkg/clusterTerminalAccess/UserTerminalAccessService.go

@@ -838,7 +838,7 @@ func (impl *UserTerminalAccessServiceImpl) getPodManifest(ctx context.Context, c
 			return nil, err
 		}
 	}
-	return response, nil
+	return response.ManifestResponse, nil
 }
 
 func (impl *UserTerminalAccessServiceImpl) getPodRequestBean(clusterId int, podName string, namespace string) (*k8s.ResourceRequestBean, error) {
@@ -1130,7 +1130,7 @@ func (impl *UserTerminalAccessServiceImpl) EditTerminalPodManifest(ctx context.C
 func (impl *UserTerminalAccessServiceImpl) checkOtherPodExists(ctx context.Context, podName, namespace string, clusterId int) bool {
 	podRequestBean, _ := impl.getPodRequestBean(clusterId, podName, namespace)
 	res, _ := impl.K8sCommonService.GetResource(ctx, podRequestBean)
-	if res != nil {
+	if res != nil && res.ManifestResponse != nil {
 		return true
 	}
 	return false

pkg/k8s/K8sCommonService.go

@@ -27,7 +27,7 @@ import (
 )
 
 type K8sCommonService interface {
-	GetResource(ctx context.Context, request *ResourceRequestBean) (resp *k8s.ManifestResponse, err error)
+	GetResource(ctx context.Context, request *ResourceRequestBean) (resp *ResourceGetResponse, err error)
 	UpdateResource(ctx context.Context, request *ResourceRequestBean) (resp *k8s.ManifestResponse, err error)
 	DeleteResource(ctx context.Context, request *ResourceRequestBean) (resp *k8s.ManifestResponse, err error)
 	ListEvents(ctx context.Context, request *ResourceRequestBean) (*k8s.EventsResponse, error)
@@ -65,7 +65,7 @@ func NewK8sCommonServiceImpl(Logger *zap.SugaredLogger, k8sUtils *k8s.K8sUtil,
 	}
 }
 
-func (impl *K8sCommonServiceImpl) GetResource(ctx context.Context, request *ResourceRequestBean) (*k8s.ManifestResponse, error) {
+func (impl *K8sCommonServiceImpl) GetResource(ctx context.Context, request *ResourceRequestBean) (*ResourceGetResponse, error) {
 	clusterId := request.ClusterId
 	//getting rest config by clusterId
 	restConfig, err, _ := impl.GetRestConfigByClusterId(ctx, clusterId)
@@ -79,7 +79,10 @@ func (impl *K8sCommonServiceImpl) GetResource(ctx context.Context, request *Reso
 		impl.logger.Errorw("error in getting resource", "err", err, "resource", resourceIdentifier.Name)
 		return nil, err
 	}
-	return resp, nil
+	response := &ResourceGetResponse{
+		ManifestResponse: resp,
+	}
+	return response, nil
 }
 
 func (impl *K8sCommonServiceImpl) UpdateResource(ctx context.Context, request *ResourceRequestBean) (*k8s.ManifestResponse, error) {
@@ -292,7 +295,9 @@ func (impl *K8sCommonServiceImpl) getManifestsByBatch(ctx context.Context, reque
 			wg.Add(1)
 			go func(j int) {
 				resp := BatchResourceResponse{}
-				resp.ManifestResponse, resp.Err = impl.GetResource(ctx, &requests[i+j])
+				response, err := impl.GetResource(ctx, &requests[i+j])
+				resp.ManifestResponse = response.ManifestResponse
+				resp.Err = err
 				res[i+j] = resp
 				wg.Done()
 			}(j)

pkg/k8s/application/k8sApplicationService.go

@@ -336,7 +336,7 @@ func (impl *K8sApplicationServiceImpl) ValidateClusterResourceRequest(ctx contex
 		impl.logger.Errorw("error in getting resource", "err", err, "request", clusterResourceRequest)
 		return false, err
 	}
-	return impl.validateResourceManifest(clusterName, respManifest.Manifest, k8sRequest.ResourceIdentifier.GroupVersionKind, rbacCallback), nil
+	return impl.validateResourceManifest(clusterName, respManifest.ManifestResponse.Manifest, k8sRequest.ResourceIdentifier.GroupVersionKind, rbacCallback), nil
 }
 
 func (impl *K8sApplicationServiceImpl) validateResourceManifest(clusterName string, resourceManifest unstructured.Unstructured, gvk schema.GroupVersionKind, rbacCallback func(clusterName string, resourceIdentifier k8s2.ResourceIdentifier) bool) bool {

pkg/k8s/bean.go

@@ -35,3 +35,8 @@ type PodContainerList struct {
 	InitContainers      []string
 	EphemeralContainers []string
 }
+
+type ResourceGetResponse struct {
+	ManifestResponse *k8s.ManifestResponse `json:"manifestResponse"`
+	SecretViewAccess bool                  `json:"secretViewAccess"` // this is being used to check whether a user can see obscured secret values or not.
+}

pkg/k8s/capacity/k8sCapacityService.go

@@ -472,12 +472,12 @@ func (impl *K8sCapacityServiceImpl) updateManifestData(ctx context.Context, node
 		K8sRequest: manifestRequest,
 		ClusterId:  clusterId,
 	}
-	manifestResponse, err := impl.k8sCommonService.GetResource(ctx, request)
+	response, err := impl.k8sCommonService.GetResource(ctx, request)
 	if err != nil {
 		impl.logger.Errorw("error in getting node manifest", "err", err)
 		return err
 	}
-	nodeDetail.Manifest = manifestResponse.Manifest
+	nodeDetail.Manifest = response.ManifestResponse.Manifest
 	return nil
 }
 

pkg/pipeline/WorkflowDagExecutor.go

@@ -4324,7 +4324,7 @@ func (impl *WorkflowDagExecutorImpl) autoscalingCheckBeforeTrigger(ctx context.C
 				impl.logger.Errorw("error occurred while fetching resource for app", "resourceName", hpaResourceRequest.ResourceName, "err", err)
 				return merged
 			}
-			resourceManifest = k8sResource.Manifest.Object
+			resourceManifest = k8sResource.ManifestResponse.Manifest.Object
 		}
 		if len(resourceManifest) > 0 {
 			statusMap := resourceManifest["status"].(map[string]interface{})

pkg/pipeline/history/ConfigMapHistoryService.go

@@ -466,6 +466,7 @@ func (impl ConfigMapHistoryServiceImpl) GetHistoryForDeployedCMCSById(ctx contex
 			VariableSnapshot: variableSnapshotMap,
 			ResolvedValue:    resolvedTemplate,
 		},
+		SecretViewAccess: userHasAdminAccess,
 	}
 	if configType == repository.SECRET_TYPE {
 		if config.Data != nil {

pkg/pipeline/history/bean.go

@@ -58,6 +58,7 @@ type HistoryDetailDto struct {
 	SubPath            *bool                `json:"subPath,omitempty"`
 	FilePermission     string               `json:"filePermission,omitempty"`
 	CodeEditorValue    *HistoryDetailConfig `json:"codeEditorValue"`
+	SecretViewAccess   bool                 `json:"secretViewAccess"` // this is being used to check whether a user can see obscured secret values or not.
 }
 
 type HistoryDetailConfig struct {

specs/resourceGet.yaml

@@ -0,0 +1,33 @@
+openapi: 3.0.0
+info:
+  title: ResourceGetResponse API
+  version: 1.0.0
+paths:
+  orchestrator/k8s/resource:
+    get:
+      summary: Retrieve resource information
+      responses:
+        '200':
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ResourceGetResponse'
+components:
+  schemas:
+    ResourceGetResponse:
+      type: object
+      properties:
+        manifestResponse:
+          $ref: '#/components/schemas/ManifestResponse'
+        secretViewAccess:
+          type: boolean
+          description: >
+            Indicates whether a user can see obscured secret values or not.
+      required:
+        - manifestResponse
+        - secretViewAccess
+
+    ManifestResponse:
+      type: object  # Assuming ManifestResponse is an object, adjust as needed
+      # Define properties of the ManifestResponse object as needed