fix: reduces information returned by settings api when accessed anonymously (argoproj#25346)

Signed-off-by: Patroklos Papapetrou <ppapapetrou76@gmail.com>

Author: ppapapetrou76

docs/operator-manual/upgrading/3.2-3.3.md

@@ -0,0 +1,8 @@
+# v3.2 to 3.3
+
+## Breaking Changes
+
+### Anonymous call to Settings API returns fewer fields
+
+The Settings API now returns less information when accessed anonymously.
+It no longer returns the `resourceOverrides` field which is considered sensitive information.

server/settings/settings.go

@@ -99,7 +99,6 @@ func (s *Server) Get(ctx context.Context, _ *settingspkg.SettingsQuery) (*settin
 		URL:                argoCDSettings.URL,
 		AdditionalURLs:     argoCDSettings.AdditionalURLs,
 		AppLabelKey:        appInstanceLabelKey,
-		ResourceOverrides:  overrides,
 		StatusBadgeEnabled: argoCDSettings.StatusBadgeEnabled,
 		StatusBadgeRootUrl: argoCDSettings.StatusBadgeRootUrl,
 		KustomizeOptions: &v1alpha1.KustomizeOptions{
@@ -132,6 +131,7 @@ func (s *Server) Get(ctx context.Context, _ *settingspkg.SettingsQuery) (*settin
 		set.UiBannerPermanent = argoCDSettings.UiBannerPermanent
 		set.UiBannerPosition = argoCDSettings.UiBannerPosition
 		set.ControllerNamespace = s.mgr.GetNamespace()
+		set.ResourceOverrides = overrides
 	}
 	if sessionmgr.LoggedIn(ctx) {
 		set.PasswordPattern = argoCDSettings.PasswordPattern

server/settings/settings_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
@@ -14,7 +15,20 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/settings"
 )
 
-const testNamespace = "default"
+const (
+	testNamespace     = "default"
+	resourceOverrides = `{
+    "jsonPointers": [
+        ""
+    ],
+    "jqPathExpressions": [
+        ""
+    ],
+    "managedFieldsManagers": [
+        ""
+    ]
+}`
+)
 
 func fixtures(ctx context.Context, data map[string]string) (*fake.Clientset, *settings.SettingsManager) {
 	kubeClient := fake.NewClientset(&corev1.ConfigMap{
@@ -79,4 +93,25 @@ func TestSettingsServer(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, "instance", resp.AppLabelKey)
 	})
+
+	t.Run("TestGetResourceOverridesNotLoggedIn", func(t *testing.T) {
+		settingsServer := newServer(map[string]string{
+			"resource.customizations.ignoreResourceUpdates.all": resourceOverrides,
+		})
+		resp, err := settingsServer.Get(t.Context(), nil)
+		require.NoError(t, err)
+		assert.Nil(t, resp.ResourceOverrides)
+	})
+
+	t.Run("TestGetResourceOverridesLoggedIn", func(t *testing.T) {
+		//nolint:staticcheck // it's ok to use built-in type string as key for value for testing purposes
+		loggedInContext := context.WithValue(t.Context(), "claims", &jwt.MapClaims{"iss": "qux", "sub": "foo", "email": "bar", "groups": []string{"baz"}})
+		settingsServer := newServer(map[string]string{
+			"resource.customizations.ignoreResourceUpdates.all": resourceOverrides,
+		})
+		resp, err := settingsServer.Get(loggedInContext, nil)
+		require.NoError(t, err)
+		assert.NotNil(t, resp.ResourceOverrides)
+		assert.NotEmpty(t, resp.ResourceOverrides["*/*"])
+	})
 }