Merge branch 'main' into renovate/jest-monorepo

charts/kuberpult/Earthfile

@@ -3,7 +3,7 @@ VERSION 0.7
 
 
 godeps:
-    FROM golang:1.21-alpine
+    FROM golang:1.22-alpine
 
     RUN apk add curl
 

pkg/auth/rbac.go

@@ -185,6 +185,25 @@ func ValidateRbacPermission(line string) (p Permission, err error) {
 	}, nil
 }
 
+func ValidateRbacGroup(line string) (p RBACGroup, err error) {
+	// Verifies if all fields are specified
+	c := strings.Split(line, ",")
+	if len(c) != 3 {
+		return p, fmt.Errorf("3 fields are expected but %d were specified", len(c))
+	}
+	// get group name
+	group := c[1]
+	// Permission role
+	if !strings.Contains(c[2], "role:") {
+		return p, fmt.Errorf("the format for groups expects the prefix `role:` for a group's role")
+	}
+	role := c[2][5:]
+	return RBACGroup{
+		Role:  role,
+		Group: group,
+	}, nil
+}
+
 func ReadRbacPolicy(dexEnabled bool, DexRbacPolicyPath string) (policy *RBACPolicies, err error) {
 	if !dexEnabled {
 		return nil, nil
@@ -207,6 +226,14 @@ func ReadRbacPolicy(dexEnabled bool, DexRbacPolicyPath string) (policy *RBACPoli
 				return nil, err
 			}
 			policy.Permissions[line] = p
+		} else if line[0] == 'g' {
+			g, err := ValidateRbacGroup(line)
+			if err != nil {
+				return nil, err
+			}
+			policy.Groups[line] = g
+		} else {
+			return nil, fmt.Errorf("unable to assign policy to either group roles (g) or permission (p): " + line)
 		}
 	}
 	if len(policy.Permissions) == 0 {

pkg/auth/rbac_test.go

@@ -86,6 +86,47 @@ func TestValidateRbacPermission(t *testing.T) {
 	}
 }
 
+func TestValidateRbacGroup(t *testing.T) {
+	tcs := []struct {
+		Name           string
+		Group          string
+		WantError      error
+		WantPermission RBACGroup
+	}{
+		{
+			Name:  "Validating RBAC works as expected",
+			Group: "g,freiheit-com-org:fdc-org-team1,role:admin",
+			WantPermission: RBACGroup{
+				Role:  "admin",
+				Group: "freiheit-com-org:fdc-org-team1",
+			},
+		},
+		{
+			Name:      "Incorrect parsing of line passed to function",
+			Group:     "g,freiheit-com-org:fdc-org-team1,role:admin,another_thing",
+			WantError: errMatcher{"3 fields are expected but 4 were specified"},
+		},
+		{
+			Name:      "Incorrect parsing of line passed to function",
+			Group:     "g,freiheit-com-org:fdc-org-team1,admin",
+			WantError: errMatcher{"the format for groups expects the prefix `role:` for a group's role"},
+		},
+	}
+
+	for _, tc := range tcs {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			group, err := ValidateRbacGroup(tc.Group)
+			if diff := cmp.Diff(tc.WantError, err, cmpopts.EquateErrors()); diff != "" {
+				t.Errorf("error mismatch (-want, +got):\n%s", diff)
+			}
+			if diff := cmp.Diff(group, tc.WantPermission, cmpopts.EquateEmpty()); diff != "" {
+				t.Errorf("%s: unexpected result diff : %v", tc.Name, diff)
+			}
+		})
+	}
+}
+
 func TestCheckUserPermissions(t *testing.T) {
 	tcs := []struct {
 		Name        string

services/cd-service/policy.csv

@@ -7,3 +7,5 @@ p, role:Developer, DeployUndeploy, *:*, *, allow
 p, role:Developer, CreateEnvironment, *:*, *, allow
 p, role:Developer, DeleteEnvironmentApplication, *:*, *, allow
 p, role:Developer, DeployReleaseTrain, *:*, *, allow
+
+g, freiheit-com-org:fdc-org-team1, role:admin

services/frontend-service/pkg/interceptors/interceptors.go

@@ -41,6 +41,8 @@ func authorize(ctx context.Context, jwks *keyfunc.JWKS, clientId string, tenantI
 
 	authHeader, ok := md["authorization"]
 	if !ok {
+		// this happens if the caller does not pass the "authHeader".
+		// correct example: api.overviewService().StreamOverview({}, authHeader)
 		return nil, status.Errorf(codes.Unauthenticated, "Authorization token not supplied")
 	}
 

services/frontend-service/src/ui/Pages/CommitInfo/CommitInfoPage.tsx

@@ -21,16 +21,18 @@ import { Spinner } from '../../components/Spinner/Spinner';
 import { useParams } from 'react-router-dom';
 import React from 'react';
 import { CommitInfo } from '../../components/CommitInfo/CommitInfo';
+import { useAzureAuthSub } from '../../utils/AzureAuthProvider';
 
 export const CommitInfoPage: React.FC = () => {
     const [everythingLoaded, loadingState] = useGlobalLoadingState();
     const { commit: commitHash } = useParams();
+    const { authHeader } = useAzureAuthSub((auth) => auth);
 
     React.useEffect(() => {
         if (commitHash !== undefined) {
-            getCommitInfo(commitHash);
+            getCommitInfo(commitHash, authHeader);
         }
-    }, [commitHash]);
+    }, [commitHash, authHeader]);
 
     const commitInfo = useCommitInfo((res) => res);
 

services/frontend-service/src/ui/utils/AzureAuthProvider.tsx

@@ -30,10 +30,11 @@ import { useFrontendConfig } from './store';
 import { AuthenticationResult } from '@azure/msal-common';
 import { Spinner } from '../components/Spinner/Spinner';
 
+export type AuthHeader = grpc.Metadata & {
+    Authorization?: String;
+};
 type AzureAuthSubType = {
-    authHeader: grpc.Metadata & {
-        Authorization?: String;
-    };
+    authHeader: AuthHeader;
     authReady: boolean;
 };
 

services/frontend-service/src/ui/utils/store.tsx

@@ -36,6 +36,7 @@ import { useCallback, useMemo } from 'react';
 import { useLocation, useNavigate, useSearchParams } from 'react-router-dom';
 import { useIsAuthenticated } from '@azure/msal-react';
 import { useApi } from './GrpcApi';
+import { AuthHeader } from './AzureAuthProvider';
 
 // see maxBatchActions in batch.go
 export const maxBatchActions = 100;
@@ -99,10 +100,10 @@ export const refreshTags = (): void => {
 };
 export const [useTag, updateTag] = createStore<TagsResponse>({ response: tagsResponse, tagsReady: false });
 
-export const getCommitInfo = (commitHash: string): void => {
-    const api = useApi;
-    api.gitService()
-        .GetCommitInfo({ commitHash: commitHash })
+export const getCommitInfo = (commitHash: string, authHeader: AuthHeader): void => {
+    useApi
+        .gitService()
+        .GetCommitInfo({ commitHash: commitHash }, authHeader)
         .then((result: GetCommitInfoResponse) => {
             updateCommitInfo.set({ response: result, commitInfoReady: CommitInfoState.READY });
         })