From 0eea3f5238b9f7f4e6fe72dacf8f2ece6da94171 Mon Sep 17 00:00:00 2001 From: ashishdevtron <141303172+ashishdevtron@users.noreply.github.com> Date: Fri, 17 May 2024 16:51:19 +0530 Subject: [PATCH 1/2] fix: added a check for restricting managers to assign superadmin through permission groups (#5025) * fix * better handling * fix * condition fix * error msg updated * create user fix * fix * minor refactoring --- api/auth/user/UserRestHandler.go | 25 ++++++++-- api/bean/UserRequest.go | 5 ++ pkg/apiToken/ApiTokenService.go | 2 +- pkg/auth/user/UserService.go | 85 +++++++++++++++++++------------- pkg/auth/user/adapter/adapter.go | 10 ++++ pkg/auth/user/helper/helper.go | 28 +++++++++++ 6 files changed, 115 insertions(+), 40 deletions(-) diff --git a/api/auth/user/UserRestHandler.go b/api/auth/user/UserRestHandler.go index f1a32d1238..49e6ace657 100644 --- a/api/auth/user/UserRestHandler.go +++ b/api/auth/user/UserRestHandler.go @@ -191,7 +191,7 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req } //RBAC enforcer Ends - res, err := handler.userService.CreateUser(&userInfo, token, handler.CheckManagerAuth) + res, restrictedGroups, err := handler.userService.CreateUser(&userInfo, token, handler.CheckManagerAuth) if err != nil { handler.logger.Errorw("service err, CreateUser", "err", err, "payload", userInfo) if _, ok := err.(*util.ApiError); ok { @@ -203,7 +203,22 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req return } - common.WriteJsonResp(w, err, res, http.StatusOK) + if len(restrictedGroups) == 0 { + common.WriteJsonResp(w, err, res, http.StatusOK) + } else { + errorMessageForGroupsWithoutSuperAdmin, errorMessageForGroupsWithSuperAdmin := helper.CreateErrorMessageForUserRoleGroups(restrictedGroups) + + if len(restrictedGroups) != len(userInfo.UserRoleGroup) { + // warning + message := fmt.Errorf("User permissions added partially. %s%s", errorMessageForGroupsWithoutSuperAdmin, errorMessageForGroupsWithSuperAdmin) + common.WriteJsonResp(w, message, nil, http.StatusExpectationFailed) + + } else { + //error + message := fmt.Errorf("Permission could not be added. %s%s", errorMessageForGroupsWithoutSuperAdmin, errorMessageForGroupsWithSuperAdmin) + common.WriteJsonResp(w, message, nil, http.StatusBadRequest) + } + } } func (handler UserRestHandlerImpl) UpdateUser(w http.ResponseWriter, r *http.Request) { @@ -252,16 +267,16 @@ func (handler UserRestHandlerImpl) UpdateUser(w http.ResponseWriter, r *http.Req if len(restrictedGroups) == 0 { common.WriteJsonResp(w, err, res, http.StatusOK) } else { - groups := strings.Join(restrictedGroups, ", ") + errorMessageForGroupsWithoutSuperAdmin, errorMessageForGroupsWithSuperAdmin := helper.CreateErrorMessageForUserRoleGroups(restrictedGroups) if rolesChanged || groupsModified { // warning - message := fmt.Errorf("User permissions updated partially. Group(s): " + groups + " could not be added/removed. You do not have manager permission for some or all projects in these groups.") + message := fmt.Errorf("User permissions updated partially. %s%s", errorMessageForGroupsWithoutSuperAdmin, errorMessageForGroupsWithSuperAdmin) common.WriteJsonResp(w, message, nil, http.StatusExpectationFailed) } else { //error - message := fmt.Errorf("Permission could not be added/removed: You do not have manager permission for some or all projects in group(s): " + groups + ".") + message := fmt.Errorf("Permission could not be added/removed. %s%s", errorMessageForGroupsWithoutSuperAdmin, errorMessageForGroupsWithSuperAdmin) common.WriteJsonResp(w, message, nil, http.StatusBadRequest) } } diff --git a/api/bean/UserRequest.go b/api/bean/UserRequest.go index 69c39f5d7e..efd6ce290c 100644 --- a/api/bean/UserRequest.go +++ b/api/bean/UserRequest.go @@ -131,6 +131,11 @@ type RoleGroupListingResponse struct { TotalCount int `json:"totalCount"` } +type RestrictedGroup struct { + Group string + HasSuperAdminPermission bool +} + type ListingRequest struct { SearchKey string `json:"searchKey"` SortOrder bean.SortOrder `json:"sortOrder"` diff --git a/pkg/apiToken/ApiTokenService.go b/pkg/apiToken/ApiTokenService.go index 28a5d5521a..e709b12073 100644 --- a/pkg/apiToken/ApiTokenService.go +++ b/pkg/apiToken/ApiTokenService.go @@ -206,7 +206,7 @@ func (impl ApiTokenServiceImpl) CreateApiToken(request *openapi.CreateApiTokenRe EmailId: email, UserType: bean.USER_TYPE_API_TOKEN, } - createUserResponse, err := impl.userService.CreateUser(&createUserRequest, token, managerAuth) + createUserResponse, _, err := impl.userService.CreateUser(&createUserRequest, token, managerAuth) if err != nil { impl.logger.Errorw("error while creating user for api-token", "email", email, "error", err) return nil, err diff --git a/pkg/auth/user/UserService.go b/pkg/auth/user/UserService.go index 1b5a75edf9..4a73b9d579 100644 --- a/pkg/auth/user/UserService.go +++ b/pkg/auth/user/UserService.go @@ -51,9 +51,9 @@ const ( ) type UserService interface { - CreateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) ([]*bean.UserInfo, error) + CreateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) ([]*bean.UserInfo, []bean.RestrictedGroup, error) SelfRegisterUserIfNotExists(userInfo *bean.UserInfo) ([]*bean.UserInfo, error) - UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) (*bean.UserInfo, bool, bool, []string, error) + UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) (*bean.UserInfo, bool, bool, []bean.RestrictedGroup, error) GetById(id int32) (*bean.UserInfo, error) GetAll() ([]bean.UserInfo, error) GetAllWithFilters(request *bean.ListingRequest) (*bean.UserListingResponse, error) @@ -276,16 +276,17 @@ func (impl *UserServiceImpl) saveUser(userInfo *bean.UserInfo, emailId string) ( return userInfo, nil } -func (impl *UserServiceImpl) CreateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) ([]*bean.UserInfo, error) { +func (impl *UserServiceImpl) CreateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) ([]*bean.UserInfo, []bean.RestrictedGroup, error) { var pass []string var userResponse []*bean.UserInfo + var restrictedGroups []bean.RestrictedGroup emailIds := strings.Split(userInfo.EmailId, ",") for _, emailId := range emailIds { dbUser, err := impl.userRepository.FetchActiveOrDeletedUserByEmail(emailId) if err != nil && err != pg.ErrNoRows { impl.logger.Errorw("error while fetching user from db", "error", err) - return nil, err + return nil, nil, err } //if found, update it with new roles @@ -293,16 +294,16 @@ func (impl *UserServiceImpl) CreateUser(userInfo *bean.UserInfo, token string, m userInfo, err = impl.updateUserIfExists(userInfo, dbUser, emailId, token, managerAuth) if err != nil { impl.logger.Errorw("error while create user if exists in db", "error", err) - return nil, err + return nil, nil, err } } // if not found, create new user if err == pg.ErrNoRows { - userInfo, err = impl.createUserIfNotExists(userInfo, emailId, token, managerAuth) + userInfo, restrictedGroups, err = impl.createUserIfNotExists(userInfo, emailId, token, managerAuth) if err != nil { impl.logger.Errorw("error while create user if not exists in db", "error", err) - return nil, err + return nil, nil, err } } @@ -312,7 +313,7 @@ func (impl *UserServiceImpl) CreateUser(userInfo *bean.UserInfo, token string, m userResponse = append(userResponse, &bean.UserInfo{Id: userInfo.Id, EmailId: emailId, Groups: userInfo.Groups, RoleFilters: userInfo.RoleFilters, SuperAdmin: userInfo.SuperAdmin, UserRoleGroup: userInfo.UserRoleGroup}) } - return userResponse, nil + return userResponse, restrictedGroups, nil } func (impl *UserServiceImpl) updateUserIfExists(userInfo *bean.UserInfo, dbUser *repository.UserModel, emailId string, @@ -340,12 +341,12 @@ func (impl *UserServiceImpl) updateUserIfExists(userInfo *bean.UserInfo, dbUser return userInfo, nil } -func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emailId string, token string, managerAuth func(resource string, token string, object string) bool) (*bean.UserInfo, error) { +func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emailId string, token string, managerAuth func(resource string, token string, object string) bool) (*bean.UserInfo, []bean.RestrictedGroup, error) { // if not found, create new user dbConnection := impl.userRepository.GetConnection() tx, err := dbConnection.Begin() if err != nil { - return nil, err + return nil, nil, err } // Rollback tx on error. defer tx.Rollback() @@ -353,7 +354,7 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai _, err = impl.validateUserRequest(userInfo) if err != nil { err = &util.ApiError{HttpStatusCode: http.StatusBadRequest, UserMessage: "Invalid request, please provide role filters"} - return nil, err + return nil, nil, err } //create new user in our db on d basis of info got from google api or hex. assign a basic role @@ -375,24 +376,30 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai InternalMessage: "failed to create new user in db", UserMessage: fmt.Sprintf("requested by %d", userInfo.UserId), } - return nil, err + return nil, nil, err } userInfo.Id = model.Id //loading policy for safety casbin2.LoadPolicy() + var restrictedGroups []bean.RestrictedGroup + //Starts Role and Mapping capacity, mapping := impl.userCommonService.GetCapacityForRoleFilter(userInfo.RoleFilters) //var policies []casbin2.Policy var policies = make([]casbin2.Policy, 0, capacity) if userInfo.SuperAdmin == false { + isActionPerformingUserSuperAdmin, err := impl.IsSuperAdmin(int(userInfo.UserId)) + if err != nil { + return nil, nil, err + } for index, roleFilter := range userInfo.RoleFilters { impl.logger.Infow("Creating Or updating User Roles for RoleFilter ") entity := roleFilter.Entity policiesToBeAdded, _, err := impl.CreateOrUpdateUserRolesForAllTypes(roleFilter, userInfo.UserId, model, nil, token, managerAuth, tx, entity, mapping[index]) if err != nil { impl.logger.Errorw("error in creating user roles for Alltypes", "err", err) - return nil, err + return nil, nil, err } policies = append(policies, policiesToBeAdded...) @@ -402,29 +409,34 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai for _, item := range userInfo.UserRoleGroup { userGroup, err := impl.roleGroupRepository.GetRoleGroupByName(item.RoleGroup.Name) if err != nil { - return nil, err + return nil, nil, err + } + hasAccessToGroup, hasSuperAdminPermission := impl.checkGroupAuth(userGroup.CasbinName, token, managerAuth, isActionPerformingUserSuperAdmin) + if hasAccessToGroup { + policies = append(policies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(userInfo.EmailId), Obj: casbin2.Object(userGroup.CasbinName)}) + } else { + restrictedGroup := adapter.CreateRestrictedGroup(item.RoleGroup.Name, hasSuperAdminPermission) + restrictedGroups = append(restrictedGroups, restrictedGroup) } - //object := "group:" + strings.ReplaceAll(item, " ", "_") - policies = append(policies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(emailId), Obj: casbin2.Object(userGroup.CasbinName)}) } // END GROUP POLICY } else if userInfo.SuperAdmin == true { isSuperAdmin, err := impl.IsSuperAdmin(int(userInfo.UserId)) if err != nil { - return nil, err + return nil, nil, err } if isSuperAdmin == false { err = &util.ApiError{HttpStatusCode: http.StatusForbidden, UserMessage: "Invalid request, not allow to update super admin type user"} - return nil, err + return nil, nil, err } flag, err := impl.userAuthRepository.CreateRoleForSuperAdminIfNotExists(tx, userInfo.UserId) if err != nil || flag == false { - return nil, err + return nil, nil, err } roleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes("", "", "", "", bean2.SUPER_ADMIN, "", "", "", "", "", "", "", false, "") if err != nil { - return nil, err + return nil, nil, err } if roleModel.Id > 0 { userRoleModel := &repository.UserRoleModel{UserId: model.Id, RoleId: roleModel.Id, AuditLog: sql.AuditLog{ @@ -435,7 +447,7 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai }} userRoleModel, err = impl.userAuthRepository.CreateUserRoleMapping(userRoleModel, tx) if err != nil { - return nil, err + return nil, nil, err } policies = append(policies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(model.EmailId), Obj: casbin2.Object(roleModel.Role)}) } @@ -450,11 +462,11 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai //Ends err = tx.Commit() if err != nil { - return nil, err + return nil, nil, err } //loading policy for syncing orchestrator to casbin with newly added policies casbin2.LoadPolicy() - return userInfo, nil + return userInfo, restrictedGroups, nil } func (impl *UserServiceImpl) CreateOrUpdateUserRolesForAllTypes(roleFilter bean.RoleFilter, userId int32, model *repository.UserModel, existingRoles map[int]repository.UserRoleModel, token string, managerAuth func(resource string, token string, object string) bool, tx *pg.Tx, entity string, capacity int) ([]casbin2.Policy, bool, error) { @@ -634,7 +646,7 @@ func (impl UserServiceImpl) mergeUserRoleGroup(oldUserRoleGroups []bean.UserRole return finalUserRoleGroups } -func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) (*bean.UserInfo, bool, bool, []string, error) { +func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) (*bean.UserInfo, bool, bool, []bean.RestrictedGroup, error) { //checking if request for same user is being processed isLocked := impl.getUserReqLockStateById(userInfo.Id) if isLocked { @@ -698,7 +710,7 @@ func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, m var eliminatedPolicies []casbin2.Policy capacity, mapping := impl.userCommonService.GetCapacityForRoleFilter(userInfo.RoleFilters) var addedPolicies = make([]casbin2.Policy, 0, capacity) - restrictedGroups := []string{} + restrictedGroups := []bean.RestrictedGroup{} rolesChanged := false groupsModified := false //loading policy for safety @@ -767,13 +779,13 @@ func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, m newGroupMap[userGroup.CasbinName] = userGroup.CasbinName if _, ok := oldGroupMap[userGroup.CasbinName]; !ok { //check permission for new group which is going to add - hasAccessToGroup := impl.checkGroupAuth(userGroup.CasbinName, token, managerAuth, isActionPerformingUserSuperAdmin) + hasAccessToGroup, hasSuperAdminPermission := impl.checkGroupAuth(userGroup.CasbinName, token, managerAuth, isActionPerformingUserSuperAdmin) if hasAccessToGroup { groupsModified = true addedPolicies = append(addedPolicies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(userInfo.EmailId), Obj: casbin2.Object(userGroup.CasbinName)}) } else { - trimmedGroup := strings.TrimPrefix(item.RoleGroup.Name, "group:") - restrictedGroups = append(restrictedGroups, trimmedGroup) + restrictedGroup := adapter.CreateRestrictedGroup(item.RoleGroup.Name, hasSuperAdminPermission) + restrictedGroups = append(restrictedGroups, restrictedGroup) } } } @@ -783,15 +795,15 @@ func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, m if item != bean.SUPERADMIN { //check permission for group which is going to eliminate if strings.HasPrefix(item, "group:") { - hasAccessToGroup := impl.checkGroupAuth(item, token, managerAuth, isActionPerformingUserSuperAdmin) + hasAccessToGroup, hasSuperAdminPermission := impl.checkGroupAuth(item, token, managerAuth, isActionPerformingUserSuperAdmin) if hasAccessToGroup { if strings.HasPrefix(item, "group:") { groupsModified = true } eliminatedPolicies = append(eliminatedPolicies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(userInfo.EmailId), Obj: casbin2.Object(item)}) } else { - trimmedGroup := strings.TrimPrefix(item, "group:") - restrictedGroups = append(restrictedGroups, trimmedGroup) + restrictedGroup := adapter.CreateRestrictedGroup(item, hasSuperAdminPermission) + restrictedGroups = append(restrictedGroups, restrictedGroup) } } } @@ -1672,15 +1684,20 @@ func (impl *UserServiceImpl) saveUserAudit(r *http.Request, userId int32) { impl.userAuditService.Save(userAudit) } -func (impl *UserServiceImpl) checkGroupAuth(groupName string, token string, managerAuth func(resource, token string, object string) bool, isActionUserSuperAdmin bool) bool { +func (impl *UserServiceImpl) checkGroupAuth(groupName string, token string, managerAuth func(resource, token string, object string) bool, isActionUserSuperAdmin bool) (bool, bool) { //check permission for group which is going to add/eliminate roles, err := impl.roleGroupRepository.GetRolesByGroupCasbinName(groupName) if err != nil && err != pg.ErrNoRows { impl.logger.Errorw("error while fetching user from db", "error", err) - return false + return false, false } hasAccessToGroup := true + hasSuperAdminPermission := false for _, role := range roles { + if role.Role == bean.SUPERADMIN && !isActionUserSuperAdmin { + hasAccessToGroup = false + hasSuperAdminPermission = true + } if role.AccessType == bean.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin { hasAccessToGroup = false } @@ -1699,7 +1716,7 @@ func (impl *UserServiceImpl) checkGroupAuth(groupName string, token string, mana } } - return hasAccessToGroup + return hasAccessToGroup, hasSuperAdminPermission } func (impl *UserServiceImpl) GetRoleFiltersByUserRoleGroups(userRoleGroups []bean.UserRoleGroup) ([]bean.RoleFilter, error) { diff --git a/pkg/auth/user/adapter/adapter.go b/pkg/auth/user/adapter/adapter.go index 5170da3989..a84da21834 100644 --- a/pkg/auth/user/adapter/adapter.go +++ b/pkg/auth/user/adapter/adapter.go @@ -1,7 +1,9 @@ package adapter import ( + "github.com/devtron-labs/devtron/api/bean" "github.com/devtron-labs/devtron/pkg/auth/user/repository" + "strings" "time" ) @@ -12,3 +14,11 @@ func GetLastLoginTime(model repository.UserModel) time.Time { } return lastLoginTime } + +func CreateRestrictedGroup(roleGroupName string, hasSuperAdminPermission bool) bean.RestrictedGroup { + trimmedGroup := strings.TrimPrefix(roleGroupName, "group:") + return bean.RestrictedGroup{ + Group: trimmedGroup, + HasSuperAdminPermission: hasSuperAdminPermission, + } +} diff --git a/pkg/auth/user/helper/helper.go b/pkg/auth/user/helper/helper.go index 1d85015272..e3cf2c5690 100644 --- a/pkg/auth/user/helper/helper.go +++ b/pkg/auth/user/helper/helper.go @@ -1,6 +1,8 @@ package helper import ( + "fmt" + bean2 "github.com/devtron-labs/devtron/api/bean" "github.com/devtron-labs/devtron/internal/util" "github.com/devtron-labs/devtron/pkg/auth/user/bean" "golang.org/x/exp/slices" @@ -49,3 +51,29 @@ func CheckIfUserIdsExists(userIds []int32) error { func ExtractTokenNameFromEmail(email string) string { return strings.Split(email, ":")[1] } + +func CreateErrorMessageForUserRoleGroups(restrictedGroups []bean2.RestrictedGroup) (string, string) { + var restrictedGroupsWithSuperAdminPermission string + var restrictedGroupsWithoutSuperAdminPermission string + var errorMessageForGroupsWithoutSuperAdmin string + var errorMessageForGroupsWithSuperAdmin string + for _, group := range restrictedGroups { + if group.HasSuperAdminPermission { + restrictedGroupsWithSuperAdminPermission += fmt.Sprintf("%s,", group.Group) + } else { + restrictedGroupsWithoutSuperAdminPermission += fmt.Sprintf("%s,", group.Group) + } + } + + if len(restrictedGroupsWithoutSuperAdminPermission) > 0 { + // if any group was appended, remove the comma from the end + restrictedGroupsWithoutSuperAdminPermission = restrictedGroupsWithoutSuperAdminPermission[:len(restrictedGroupsWithoutSuperAdminPermission)-1] + errorMessageForGroupsWithoutSuperAdmin = fmt.Sprintf("You do not have manager permission for some or all projects in group(s): %v.", restrictedGroupsWithoutSuperAdminPermission) + } + if len(restrictedGroupsWithSuperAdminPermission) > 0 { + // if any group was appended, remove the comma from the end + restrictedGroupsWithSuperAdminPermission = restrictedGroupsWithSuperAdminPermission[:len(restrictedGroupsWithSuperAdminPermission)-1] + errorMessageForGroupsWithSuperAdmin = fmt.Sprintf("Only super admins can assign groups with super admin permission: %v.", restrictedGroupsWithSuperAdminPermission) + } + return errorMessageForGroupsWithoutSuperAdmin, errorMessageForGroupsWithSuperAdmin +} From 5a75ad93ef3f53c9d056c9a285ab662c9fd85023 Mon Sep 17 00:00:00 2001 From: ashishdevtron <141303172+ashishdevtron@users.noreply.github.com> Date: Sat, 18 May 2024 11:28:55 +0530 Subject: [PATCH 2/2] feat: support for ca cert in trivy (#5064) * trivy ca cert sql migration * sql no update * sql no update --- scripts/sql/247_trivy_ca_cert_support.down.sql | 3 +++ scripts/sql/247_trivy_ca_cert_support.up.sql | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 scripts/sql/247_trivy_ca_cert_support.down.sql create mode 100644 scripts/sql/247_trivy_ca_cert_support.up.sql diff --git a/scripts/sql/247_trivy_ca_cert_support.down.sql b/scripts/sql/247_trivy_ca_cert_support.down.sql new file mode 100644 index 0000000000..45fe1a6307 --- /dev/null +++ b/scripts/sql/247_trivy_ca_cert_support.down.sql @@ -0,0 +1,3 @@ +UPDATE public.scan_tool_step +SET cli_command = 'trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}} --username {{.USERNAME}} --password {{.PASSWORD}}' +WHERE id = 1; diff --git a/scripts/sql/247_trivy_ca_cert_support.up.sql b/scripts/sql/247_trivy_ca_cert_support.up.sql new file mode 100644 index 0000000000..5105b2cd60 --- /dev/null +++ b/scripts/sql/247_trivy_ca_cert_support.up.sql @@ -0,0 +1,4 @@ +UPDATE public.scan_tool_step +SET cli_command = '{{if .CA_CERT_FILE_PATH}} SSL_CERT_FILE={{.CA_CERT_FILE_PATH}} {{end}} trivy {{if .insecure}} --insecure {{end}} image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{ +.IMAGE_NAME}} --username {{.USERNAME}} --password {{.PASSWORD}}' +WHERE id = 1;