kubero-dev · mms-gianni · May 31, 2025 · May 31, 2025
diff --git a/server/src/addons/addons.controller.ts b/server/src/addons/addons.controller.ts
@@ -5,7 +5,7 @@ import {
   ApiForbiddenResponse,
   ApiOperation,
 } from '@nestjs/swagger';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
 
 @Controller({ path: 'api/addons', version: '1' })

diff --git a/server/src/apps/apps.controller.ts b/server/src/apps/apps.controller.ts
@@ -21,8 +21,9 @@ import {
 } from '@nestjs/swagger';
 import { ApiBearerAuth } from '@nestjs/swagger';
 import { GetAppDTO } from './apps.dto';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
+import { ReadonlyGuard } from '../common/guards/readonly.guard';
 
 @Controller({ path: 'api/apps', version: '1' })
 export class AppsController {
@@ -48,15 +49,16 @@ export class AppsController {
     return this.appsService.getApp(pipeline, phase, app);
   }
 
-  @ApiOperation({ summary: 'Create an app' })
   @Post('/:pipeline/:phase/:app')
+  @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @HttpCode(HttpStatus.CREATED)
+  @ApiOperation({ summary: 'Create an app' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async createApp(
     @Param('pipeline') pipeline: string,
@@ -90,14 +92,15 @@ export class AppsController {
     return this.appsService.createApp(app, user);
   }
 
-  @ApiOperation({ summary: 'Update an app' })
   @Put('/:pipeline/:phase/:app/:resourceVersion')
+  @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
+  @ApiOperation({ summary: 'Update an app' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async updateApp(
     @Param('pipeline') pipeline: string,
@@ -123,14 +126,15 @@ export class AppsController {
     return this.appsService.updateApp(app, resourceVersion, user);
   }
 
-  @ApiOperation({ summary: 'Delete an app' })
   @Delete('/:pipeline/:phase/:app')
+  @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
+  @ApiOperation({ summary: 'Delete an app' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async deleteApp(
     @Param('pipeline') pipeline: string,
@@ -147,14 +151,15 @@ export class AppsController {
     return this.appsService.deleteApp(pipeline, phase, app, user);
   }
 
-  @ApiOperation({ summary: 'Start a Pull Request App' })
   @Post('/pullrequest')
+  @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
+  @ApiOperation({ summary: 'Start a Pull Request App' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async startPullRequest(@Body() body: any) {
     return this.appsService.createPRApp(
@@ -165,14 +170,14 @@ export class AppsController {
     );
   }
 
-  @ApiOperation({ summary: 'Download the app templates' })
   @Get('/:pipeline/:phase/:app/download')
+  @UseGuards(JwtAuthGuard)
+  @ApiOperation({ summary: 'Download the app templates' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async downloadAppTemplates(
     @Param('pipeline') pipeline: string,
@@ -182,14 +187,15 @@ export class AppsController {
     return this.appsService.getTemplate(pipeline, phase, app);
   }
 
-  @ApiOperation({ summary: 'Restart/Reload an app' })
   @Get('/:pipeline/:phase/:app/restart')
+  @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
+  @ApiOperation({ summary: 'Restart/Reload an app' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async restartApp(
     @Param('pipeline') pipeline: string,
@@ -207,14 +213,14 @@ export class AppsController {
     return this.appsService.restartApp(pipeline, phase, app, user);
   }
 
-  @ApiOperation({ summary: 'Get the app pods' })
   @Get('/:pipeline/:phase/:app/pods')
+  @UseGuards(JwtAuthGuard)
+  @ApiOperation({ summary: 'Get the app pods' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async getPods(
     @Param('pipeline') pipeline: string,
@@ -224,14 +230,15 @@ export class AppsController {
     return this.appsService.getPods(pipeline, phase, app);
   }
 
-  @ApiOperation({ summary: 'Start a container console' })
   @Post('/:pipeline/:phase/:app/console')
+  @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
+  @ApiOperation({ summary: 'Start a container console' })
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   async execInContainer(
     @Param('pipeline') pipeline: string,

diff --git a/server/src/audit/audit.controller.ts b/server/src/audit/audit.controller.ts
@@ -13,7 +13,7 @@ import {
   ApiForbiddenResponse,
   ApiOperation,
 } from '@nestjs/swagger';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
 
 @Controller({ path: 'api/audit', version: '1' })

diff --git a/server/src/auth/auth.controller.ts b/server/src/auth/auth.controller.ts
@@ -22,7 +22,7 @@ import {
   LoginDTO,
   GetSessionDTO,
 } from './auth.dto';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from './strategies/jwt.guard';
 import { AuthGuard } from '@nestjs/passport';
 

diff --git a/server/src/shared/dto/ok.dto.ts → server/src/common/dto/ok.dto.ts b/server/src/shared/dto/ok.dto.ts → server/src/common/dto/ok.dto.ts
diff --git a/server/src/common/guards/readonly.guard.ts b/server/src/common/guards/readonly.guard.ts
@@ -0,0 +1,13 @@
+import { CanActivate, ExecutionContext, Injectable, HttpException, Logger } from '@nestjs/common';
+
+@Injectable()
+export class ReadonlyGuard implements CanActivate {
+  private logger = new Logger(ReadonlyGuard.name);
+  canActivate(context: ExecutionContext): boolean {
+    if (process.env.KUBERO_READONLY === 'true') {
+      this.logger.warn('Kubero is in read-only mode, write operations are blocked');
+      throw new HttpException('Kubero is in read-only mode', 202);
+    }
+    return true;
+  }
+}
diff --git a/server/src/config/config.controller.ts b/server/src/config/config.controller.ts
@@ -8,8 +8,9 @@ import {
   ApiOperation,
   ApiParam,
 } from '@nestjs/swagger';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
+import { ReadonlyGuard } from '../common/guards/readonly.guard';
 
 @Controller({ path: 'api/config', version: '1' })
 export class ConfigController {
@@ -30,6 +31,7 @@ export class ConfigController {
 
   @Post('/')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiOperation({ summary: 'Update the Kubero settings' })
   @ApiForbiddenResponse({
@@ -143,6 +145,7 @@ export class ConfigController {
 
   @Post('/setup/kubeconfig/validate')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
@@ -178,6 +181,7 @@ export class ConfigController {
 
   @Post('/setup/save')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',

diff --git a/server/src/deployments/deployments.controller.ts b/server/src/deployments/deployments.controller.ts
@@ -18,20 +18,21 @@ import {
 } from '@nestjs/swagger';
 import { IUser } from '../auth/auth.interface';
 import { CreateBuild } from './dto/CreateBuild.dto';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
+import { ReadonlyGuard } from '../common/guards/readonly.guard';
 
 @Controller({ path: 'api/deployments', version: '1' })
 export class DeploymentsController {
   constructor(private readonly deploymentsService: DeploymentsService) {}
 
   @Get('/:pipeline/:phase/:app')
+  @UseGuards(JwtAuthGuard)
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiOperation({ summary: 'List deployments for a specific app' })
   @ApiParam({ name: 'pipeline', description: 'Pipeline name' })
@@ -46,12 +47,13 @@ export class DeploymentsController {
   }
 
   @Post('/build/:pipeline/:phase/:app')
+  @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiOperation({ summary: 'Build a specific app' })
   @ApiParam({ name: 'pipeline', description: 'Pipeline name' })
@@ -89,6 +91,7 @@ export class DeploymentsController {
 
   @Delete('/:pipeline/:phase/:app/:buildName')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
@@ -154,6 +157,7 @@ export class DeploymentsController {
 
   @Put('/:pipeline/:phase/:app/:tag')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',

diff --git a/server/src/kubernetes/kubernetes.controller.ts b/server/src/kubernetes/kubernetes.controller.ts
@@ -12,7 +12,7 @@ import {
   ContextDTO,
   GetEventsDTO,
 } from './dto/kubernetes.dto';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
 
 @Controller({ path: 'api/kubernetes', version: '1' })
@@ -79,12 +79,12 @@ export class KubernetesController {
   }
 
   @Get('/contexts')
+  @UseGuards(JwtAuthGuard)
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
     type: OKDTO,
     isArray: false,
   })
-  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiOkResponse({
     description: 'A List of available contexts',

diff --git a/server/src/logs/logs.controller.ts b/server/src/logs/logs.controller.ts
@@ -7,7 +7,7 @@ import {
 } from '@nestjs/swagger';
 import { LogsService } from './logs.service';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 
 @Controller({ path: 'api/logs', version: '1' })
 export class LogsController {

diff --git a/server/src/metrics/metrics.controller.ts b/server/src/metrics/metrics.controller.ts
@@ -7,7 +7,7 @@ import {
 } from '@nestjs/swagger';
 import { MetricsService } from './metrics.service';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 
 @Controller({ path: 'api/metrics', version: '1' })
 export class MetricsController {

diff --git a/server/src/pipelines/pipelines.controller.ts b/server/src/pipelines/pipelines.controller.ts
@@ -21,10 +21,11 @@ import {
 } from '@nestjs/swagger';
 import { CreatePipelineDTO } from './dto/replacePipeline.dto';
 import { GetPipelineDTO } from './dto/getPipeline.dto';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { IUser } from '../auth/auth.interface';
 import { IPipeline } from './pipelines.interface';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
+import { ReadonlyGuard } from '../common/guards/readonly.guard';
 
 @Controller({ path: 'api/pipelines', version: '1' })
 export class PipelinesController {
@@ -50,6 +51,7 @@ export class PipelinesController {
 
   @Post('/:pipeline')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
@@ -114,6 +116,7 @@ export class PipelinesController {
 
   @Put('/:pipeline')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
@@ -151,6 +154,7 @@ export class PipelinesController {
 
   @Delete('/:pipeline')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',

diff --git a/server/src/repo/repo.controller.ts b/server/src/repo/repo.controller.ts
@@ -14,8 +14,9 @@ import {
   ApiOperation,
   ApiParam,
 } from '@nestjs/swagger';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
+import { ReadonlyGuard } from '../common/guards/readonly.guard';
 
 @Controller({ path: 'api/repo', version: '1' })
 export class RepoController {
@@ -143,6 +144,7 @@ export class RepoController {
 
   @Post('/:provider/connect')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',
@@ -163,6 +165,7 @@ export class RepoController {
 
   @Post('/:provider/disconnect')
   @UseGuards(JwtAuthGuard)
+  @UseGuards(ReadonlyGuard)
   @ApiBearerAuth('bearerAuth')
   @ApiForbiddenResponse({
     description: 'Error: Unauthorized',

diff --git a/server/src/security/security.controller.ts b/server/src/security/security.controller.ts
@@ -6,7 +6,7 @@ import {
   ApiOperation,
 } from '@nestjs/swagger';
 import { JwtAuthGuard } from '../auth/strategies/jwt.guard';
-import { OKDTO } from '../shared/dto/ok.dto';
+import { OKDTO } from '../common/dto/ok.dto';
 
 @Controller({ path: 'api/security', version: '1' })
 export class SecurityController {