feat: refactoring authorisation checks and support of super-admin in …

…permissions groups. (#4433)

* refactored directories

* refactoring in enforcer code, removed enforceByEmail/InBatch usages

* removed isSuperAdmin method calls

* updated missed auth check

* replaced userService.GetById methods by lighter calls

* replaced getEmailFromToken by lighter calls

* removed remaining 2 usages of enforceByEmail

* self registration roles service renaming

* updated authenticator version for userVerifier changes

* added sql file for creating user group

* test: Origin/self register auth change (#4479)

* global-authorisation and resfactoring

* rbacfor deletematerial

* script number change

* role group superAdmin support

* script change

* sql script delete

* super-admin role group

* chart group duplication fix

* api-token

* check user roles for super admin group

* updated authenticator version

---------

Co-authored-by: Shivam Nagar <[email protected]>
Co-authored-by: Shivam-nagar23 <[email protected]>

App.go

@@ -21,21 +21,22 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"github.com/devtron-labs/devtron/api/util"
-	"github.com/devtron-labs/devtron/client/telemetry"
-	"github.com/devtron-labs/devtron/otel"
 	"log"
 	"net/http"
 	"os"
 	"time"
 
+	"github.com/devtron-labs/devtron/api/util"
+	"github.com/devtron-labs/devtron/client/telemetry"
+	"github.com/devtron-labs/devtron/otel"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
+
 	"github.com/casbin/casbin"
 	authMiddleware "github.com/devtron-labs/authenticator/middleware"
 	pubsub "github.com/devtron-labs/common-lib/pubsub-lib"
 	"github.com/devtron-labs/devtron/api/router"
 	"github.com/devtron-labs/devtron/api/sse"
 	"github.com/devtron-labs/devtron/internal/middleware"
-	"github.com/devtron-labs/devtron/pkg/user"
 	"github.com/go-pg/pg"
 	_ "github.com/lib/pq"
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"

Wire.go

@@ -30,6 +30,8 @@ import (
 	appStoreDeployment "github.com/devtron-labs/devtron/api/appStore/deployment"
 	appStoreDiscover "github.com/devtron-labs/devtron/api/appStore/discover"
 	appStoreValues "github.com/devtron-labs/devtron/api/appStore/values"
+	"github.com/devtron-labs/devtron/api/auth/sso"
+	"github.com/devtron-labs/devtron/api/auth/user"
 	chartRepo "github.com/devtron-labs/devtron/api/chartRepo"
 	"github.com/devtron-labs/devtron/api/cluster"
 	"github.com/devtron-labs/devtron/api/connector"
@@ -46,10 +48,8 @@ import (
 	"github.com/devtron-labs/devtron/api/router/pubsub"
 	"github.com/devtron-labs/devtron/api/server"
 	"github.com/devtron-labs/devtron/api/sse"
-	"github.com/devtron-labs/devtron/api/sso"
 	"github.com/devtron-labs/devtron/api/team"
 	"github.com/devtron-labs/devtron/api/terminal"
-	"github.com/devtron-labs/devtron/api/user"
 	util5 "github.com/devtron-labs/devtron/api/util"
 	webhookHelm "github.com/devtron-labs/devtron/api/webhook/helm"
 	"github.com/devtron-labs/devtron/client/argocdServer"

api/apiToken/ApiTokenRestHandler.go

@@ -19,17 +19,18 @@ package apiToken
 
 import (
 	"encoding/json"
+	"net/http"
+	"strconv"
+
 	openapi "github.com/devtron-labs/devtron/api/openapi/openapiClient"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	"github.com/devtron-labs/devtron/pkg/apiToken"
-	"github.com/devtron-labs/devtron/pkg/user"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	"github.com/gorilla/mux"
 	"github.com/juju/errors"
 	"go.uber.org/zap"
 	"gopkg.in/go-playground/validator.v9"
-	"net/http"
-	"strconv"
 )
 
 type ApiTokenRestHandler interface {

api/appStore/AppStoreStatusTimelineRestHandler.go

@@ -1,14 +1,15 @@
 package appStore
 
 import (
+	"net/http"
+	"strconv"
+
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	"github.com/devtron-labs/devtron/pkg/app/status"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
 	"github.com/devtron-labs/devtron/util/rbac"
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
-	"net/http"
-	"strconv"
 )
 
 type AppStoreStatusTimelineRestHandler interface {

api/appStore/InstalledAppRestHandler.go

@@ -22,6 +22,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
 	bean2 "github.com/devtron-labs/devtron/api/bean"
 	client "github.com/devtron-labs/devtron/api/helm-app"
 	openapi "github.com/devtron-labs/devtron/api/helm-app/openapiClient"
@@ -35,10 +40,10 @@ import (
 	appStoreBean "github.com/devtron-labs/devtron/pkg/appStore/bean"
 	"github.com/devtron-labs/devtron/pkg/appStore/deployment/repository"
 	"github.com/devtron-labs/devtron/pkg/appStore/deployment/service"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	"github.com/devtron-labs/devtron/pkg/cluster"
 	application2 "github.com/devtron-labs/devtron/pkg/k8s/application"
-	"github.com/devtron-labs/devtron/pkg/user"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
 	"github.com/devtron-labs/devtron/util"
 	"github.com/devtron-labs/devtron/util/argo"
 	"github.com/devtron-labs/devtron/util/rbac"
@@ -47,10 +52,6 @@ import (
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
 	"gopkg.in/go-playground/validator.v9"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
 )
 
 type InstalledAppRestHandler interface {
@@ -159,12 +160,6 @@ func (handler InstalledAppRestHandlerImpl) GetAllInstalledApp(w http.ResponseWri
 	}
 	v := r.URL.Query()
 	token := r.Header.Get("token")
-	userEmailId, err := handler.userAuthService.GetEmailFromToken(token)
-	if err != nil {
-		handler.Logger.Errorw("error in getting user emailId from token", "userId", userId, "err", err)
-		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
-		return
-	}
 	var envIds []int
 	envsQueryParam := v.Get("envIds")
 	if envsQueryParam != "" {
@@ -290,8 +285,8 @@ func (handler InstalledAppRestHandlerImpl) GetAllInstalledApp(w http.ResponseWri
 
 	}
 	start := time.Now()
-	resultObjectMap1 := handler.enforcer.EnforceByEmailInBatch(userEmailId, casbin.ResourceHelmApp, casbin.ActionGet, objectArray1)
-	resultObjectMap2 := handler.enforcer.EnforceByEmailInBatch(userEmailId, casbin.ResourceHelmApp, casbin.ActionGet, objectArray2)
+	resultObjectMap1 := handler.enforcer.EnforceInBatch(token, casbin.ResourceHelmApp, casbin.ActionGet, objectArray1)
+	resultObjectMap2 := handler.enforcer.EnforceInBatch(token, casbin.ResourceHelmApp, casbin.ActionGet, objectArray2)
 	middleware.AppListingDuration.WithLabelValues("enforceByEmailInBatch", "helm").Observe(time.Since(start).Seconds())
 	authorizedAppIdSet := make(map[string]bool)
 	//O(n) time loop , at max we will only iterate through all the apps

api/appStore/chartProvider/ChartProviderRestHandler.go

@@ -19,14 +19,15 @@ package chartProvider
 
 import (
 	"encoding/json"
+	"net/http"
+	"strconv"
+
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	"github.com/devtron-labs/devtron/pkg/appStore/chartProvider"
-	"github.com/devtron-labs/devtron/pkg/user"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	"go.uber.org/zap"
 	"gopkg.in/go-playground/validator.v9"
-	"net/http"
-	"strconv"
 )
 
 type ChartProviderRestHandler interface {
@@ -38,9 +39,9 @@ type ChartProviderRestHandler interface {
 type ChartProviderRestHandlerImpl struct {
 	Logger               *zap.SugaredLogger
 	chartProviderService chartProvider.ChartProviderService
-	validator            *validator.Validate
-	userAuthService      user.UserService
-	enforcer             casbin.Enforcer
+	validator       *validator.Validate
+	userAuthService user.UserService
+	enforcer        casbin.Enforcer
 }
 
 func NewChartProviderRestHandlerImpl(Logger *zap.SugaredLogger, userAuthService user.UserService, validator *validator.Validate, chartProviderService chartProvider.ChartProviderService,

api/appStore/deployment/AppStoreDeploymentRestHandler.go

@@ -22,6 +22,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
 	client "github.com/devtron-labs/devtron/api/helm-app"
 	openapi "github.com/devtron-labs/devtron/api/helm-app/openapiClient"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
@@ -30,19 +35,15 @@ import (
 	appStoreDeploymentCommon "github.com/devtron-labs/devtron/pkg/appStore/deployment/common"
 	"github.com/devtron-labs/devtron/pkg/appStore/deployment/service"
 	"github.com/devtron-labs/devtron/pkg/attributes"
-	"github.com/devtron-labs/devtron/pkg/user"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	util2 "github.com/devtron-labs/devtron/util"
 	"github.com/devtron-labs/devtron/util/argo"
 	"github.com/devtron-labs/devtron/util/rbac"
 	"github.com/go-pg/pg"
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
 	"gopkg.in/go-playground/validator.v9"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
 )
 
 const HELM_APP_UPDATE_COUNTER = "HelmAppUpdateCounter"
@@ -58,9 +59,9 @@ type AppStoreDeploymentRestHandler interface {
 }
 
 type AppStoreDeploymentRestHandlerImpl struct {
-	Logger                     *zap.SugaredLogger
-	userAuthService            user.UserService
-	enforcer                   casbin.Enforcer
+	Logger          *zap.SugaredLogger
+	userAuthService user.UserService
+	enforcer        casbin.Enforcer
 	enforcerUtil               rbac.EnforcerUtil
 	enforcerUtilHelm           rbac.EnforcerUtilHelm
 	appStoreDeploymentService  service.AppStoreDeploymentService

api/appStore/deployment/CommonDeploymentRestHandler.go

@@ -21,6 +21,10 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
+	"strconv"
+	"time"
+
 	"github.com/devtron-labs/common-lib/utils/k8sObjectsUtil"
 	client "github.com/devtron-labs/devtron/api/helm-app"
 	openapi2 "github.com/devtron-labs/devtron/api/openapi/openapiClient"
@@ -29,18 +33,15 @@ import (
 	appStoreBean "github.com/devtron-labs/devtron/pkg/appStore/bean"
 	appStoreDeploymentCommon "github.com/devtron-labs/devtron/pkg/appStore/deployment/common"
 	"github.com/devtron-labs/devtron/pkg/appStore/deployment/service"
-	"github.com/devtron-labs/devtron/pkg/user"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	util2 "github.com/devtron-labs/devtron/util"
 	"github.com/devtron-labs/devtron/util/argo"
 	"github.com/devtron-labs/devtron/util/rbac"
 	"github.com/gorilla/mux"
 	"go.opentelemetry.io/otel"
 	"go.uber.org/zap"
 	"gopkg.in/go-playground/validator.v9"
-	"net/http"
-	"strconv"
-	"time"
 )
 
 type CommonDeploymentRestHandler interface {
@@ -50,9 +51,9 @@ type CommonDeploymentRestHandler interface {
 }
 
 type CommonDeploymentRestHandlerImpl struct {
-	Logger                     *zap.SugaredLogger
-	userAuthService            user.UserService
-	enforcer                   casbin.Enforcer
+	Logger          *zap.SugaredLogger
+	userAuthService user.UserService
+	enforcer        casbin.Enforcer
 	enforcerUtil               rbac.EnforcerUtil
 	enforcerUtilHelm           rbac.EnforcerUtilHelm
 	appStoreDeploymentService  service.AppStoreDeploymentService

api/appStore/discover/AppStoreRestHandler.go

@@ -18,16 +18,17 @@
 package appStoreDiscover
 
 import (
+	"net/http"
+	"strconv"
+	"strings"
+
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	appStoreBean "github.com/devtron-labs/devtron/pkg/appStore/bean"
 	"github.com/devtron-labs/devtron/pkg/appStore/discover/service"
-	"github.com/devtron-labs/devtron/pkg/user"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
-	"net/http"
-	"strconv"
-	"strings"
 )
 
 type AppStoreRestHandler interface {

api/appStore/values/AppStoreValuesRestHandler.go

@@ -19,14 +19,15 @@ package appStoreValues
 
 import (
 	"encoding/json"
+	"net/http"
+	"strconv"
+
 	"github.com/devtron-labs/devtron/api/restHandler/common"
 	appStoreBean "github.com/devtron-labs/devtron/pkg/appStore/bean"
 	"github.com/devtron-labs/devtron/pkg/appStore/values/service"
-	"github.com/devtron-labs/devtron/pkg/user"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
-	"net/http"
-	"strconv"
 )
 
 type AppStoreValuesRestHandler interface {

api/sso/SsoLoginHandler.go → api/auth/sso/SsoLoginHandler.go

@@ -20,16 +20,17 @@ package sso
 import (
 	"encoding/json"
 	"errors"
+	"net/http"
+	"strconv"
+
 	"github.com/devtron-labs/devtron/api/bean"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
-	"github.com/devtron-labs/devtron/pkg/sso"
-	"github.com/devtron-labs/devtron/pkg/user"
-	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
+	"github.com/devtron-labs/devtron/pkg/auth/sso"
+	"github.com/devtron-labs/devtron/pkg/auth/user"
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
 	"gopkg.in/go-playground/validator.v9"
-	"net/http"
-	"strconv"
 )
 
 type SsoLoginRestHandler interface {

api/sso/wire_sso.go → api/auth/sso/wire_sso.go

@@ -1,17 +1,17 @@
 package sso
 
 import (
-	"github.com/devtron-labs/devtron/pkg/sso"
+	sso2 "github.com/devtron-labs/devtron/pkg/auth/sso"
 	"github.com/google/wire"
 )
 
 //depends on sql,user,K8sUtil, logger, enforcer,
 
 var SsoConfigWireSet = wire.NewSet(
-	sso.NewSSOLoginServiceImpl,
-	wire.Bind(new(sso.SSOLoginService), new(*sso.SSOLoginServiceImpl)),
-	sso.NewSSOLoginRepositoryImpl,
-	wire.Bind(new(sso.SSOLoginRepository), new(*sso.SSOLoginRepositoryImpl)),
+	sso2.NewSSOLoginServiceImpl,
+	wire.Bind(new(sso2.SSOLoginService), new(*sso2.SSOLoginServiceImpl)),
+	sso2.NewSSOLoginRepositoryImpl,
+	wire.Bind(new(sso2.SSOLoginRepository), new(*sso2.SSOLoginRepositoryImpl)),
 
 	NewSsoLoginRouterImpl,
 	wire.Bind(new(SsoLoginRouter), new(*SsoLoginRouterImpl)),