synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-29 22:02:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: azure app configuration integration

Browse Source
This commit is contained in:
Sheen Capadngan
2024-10-22 19:41:10 +08:00
parent fd7e196f8b
commit e7e0d84c8e
8 changed files with 538 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/services/integration-auth/integration-app-list.ts
View File

@ -1113,6 +1113,8 @@ export const getApps = async ({
});
case Integrations.AZURE_KEY_VAULT:
return [];
case Integrations.AZURE_APP_CONFIGURATION:
return [];
case Integrations.AWS_PARAMETER_STORE:
return [];
case Integrations.AWS_SECRET_MANAGER:

12
backend/src/services/integration-auth/integration-list.ts
View File

@ -33,7 +33,8 @@ export enum Integrations {
NORTHFLANK = "northflank",
HASURA_CLOUD = "hasura-cloud",
RUNDECK = "rundeck",
AZURE_DEVOPS = "azure-devops"
AZURE_DEVOPS = "azure-devops",
AZURE_APP_CONFIGURATION = "azure-app-configuration"
}
export enum IntegrationType {
@ -206,6 +207,15 @@ export const getIntegrationOptions = async () => {
clientId: appCfg.CLIENT_ID_AZURE,
docsLink: ""
},
{
name: "Azure App Configuration",
slug: "azure-app-configuration",
image: "Microsoft Azure.png",
isAvailable: true,
type: "oauth",
clientId: appCfg.CLIENT_ID_AZURE,
docsLink: ""
},
{
name: "Circle CI",
slug: "circleci",

185
backend/src/services/integration-auth/integration-sync-secret.ts
View File

@ -24,6 +24,7 @@ import { Octokit } from "@octokit/rest";
import AWS, { AWSError } from "aws-sdk";
import { AxiosError } from "axios";
import { randomUUID } from "crypto";
import https from "https";
import sodium from "libsodium-wrappers";
import isEqual from "lodash.isequal";
import { z } from "zod";
@ -270,6 +271,180 @@ const syncSecretsGCPSecretManager = async ({
}
};
const syncSecretsAzureAppConfig = async ({
integration,
secrets,
accessToken,
createManySecretsRawFn,
updateManySecretsRawFn,
integrationDAL
}: {
integration: TIntegrations & {
projectId: string;
environment: {
id: string;
name: string;
slug: string;
};
secretPath: string;
};
secrets: Record<string, { value: string; comment?: string } | null>;
accessToken: string;
createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<{ id: string }>>;
updateManySecretsRawFn: (params: TUpdateManySecretsRawFn) => Promise<Array<{ id: string }>>;
integrationDAL: Pick<TIntegrationDALFactory, "updateById">;
}) => {
interface AzureAppConfigKeyValue {
key: string;
value: string;
}
const getCompleteAzureAppConfigValues = async (url: string) => {
let result: AzureAppConfigKeyValue[] = [];
while (url) {
const res = await request.get(url, {
headers: {
Authorization: `Bearer ${accessToken}`
},
// we force IPV4 because docker setup fails with ipv6
httpsAgent: new https.Agent({
family: 4
})
});
result = result.concat(res.data.items);
url = res.data.nextLink;
}
return result;
};
const metadata = IntegrationMetadataSchema.parse(integration.metadata);
const azureAppConfigSecrets = (
await getCompleteAzureAppConfigValues(
`${integration.app}/kv?api-version=2023-11-01&key=${metadata.secretPrefix || ""}*`
)
).reduce(
(accum, entry) => {
accum[entry.key] = entry.value;
return accum;
},
{} as Record<string, string>
);
const secretsToAdd: { [key: string]: string } = {};
const secretsToUpdate: { [key: string]: string } = {};
Object.keys(azureAppConfigSecrets).forEach((key) => {
if (!integration.lastUsed) {
// first time using integration
// -> apply initial sync behavior
switch (metadata.initialSyncBehavior) {
case IntegrationInitialSyncBehavior.OVERWRITE_TARGET: {
if (!(key in secrets)) {
secrets[key] = null;
}
break;
}
case IntegrationInitialSyncBehavior.PREFER_TARGET: {
if (!(key in secrets)) {
secretsToAdd[key] = azureAppConfigSecrets[key];
} else if (secrets[key]?.value !== azureAppConfigSecrets[key]) {
secretsToUpdate[key] = azureAppConfigSecrets[key];
}
secrets[key] = {
value: azureAppConfigSecrets[key]
};
break;
}
case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
if (!(key in secrets)) {
secrets[key] = {
value: azureAppConfigSecrets[key]
};
secretsToAdd[key] = azureAppConfigSecrets[key];
}
break;
}
default: {
break;
}
}
} else if (!(key in secrets)) {
secrets[key] = null;
}
});
if (Object.keys(secretsToAdd).length) {
await createManySecretsRawFn({
projectId: integration.projectId,
environment: integration.environment.slug,
path: integration.secretPath,
secrets: Object.keys(secretsToAdd).map((key) => ({
secretName: key,
secretValue: secretsToAdd[key],
type: SecretType.Shared,
secretComment: ""
}))
});
}
if (Object.keys(secretsToUpdate).length) {
await updateManySecretsRawFn({
projectId: integration.projectId,
environment: integration.environment.slug,
path: integration.secretPath,
secrets: Object.keys(secretsToUpdate).map((key) => ({
secretName: key,
secretValue: secretsToUpdate[key],
type: SecretType.Shared,
secretComment: ""
}))
});
}
// create or update secrets on Azure App Config
for await (const key of Object.keys(secrets)) {
if (!(key in azureAppConfigSecrets) || secrets[key]?.value !== azureAppConfigSecrets[key]) {
await request.put(
`${integration.app}/kv/${key}?api-version=2023-11-01`,
{
value: secrets[key]?.value
},
{
headers: {
Authorization: `Bearer ${accessToken}`
},
// we force IPV4 because docker setup fails with ipv6
httpsAgent: new https.Agent({
family: 4
})
}
);
}
}
for await (const key of Object.keys(azureAppConfigSecrets)) {
if (!(key in secrets) || secrets[key] === null) {
// case: delete secret
await request.delete(`${integration.app}/kv/${key}?api-version=2023-11-01`, {
headers: {
Authorization: `Bearer ${accessToken}`
},
// we force IPV4 because docker setup fails with ipv6
httpsAgent: new https.Agent({
family: 4
})
});
}
}
await integrationDAL.updateById(integration.id, {
lastUsed: new Date()
});
};
/**
* Sync/push [secrets] to Azure Key Vault with vault URI [integration.app]
*/
@ -4041,6 +4216,16 @@ export const syncIntegrationSecrets = async ({
accessToken
});
break;
case Integrations.AZURE_APP_CONFIGURATION:
await syncSecretsAzureAppConfig({
integration,
integrationDAL,
secrets,
accessToken,
createManySecretsRawFn,
updateManySecretsRawFn
});
break;
case Integrations.AWS_PARAMETER_STORE:
response = await syncSecretsAWSParameterStore({
integration,

34
backend/src/services/integration-auth/integration-token.ts
View File

@ -131,6 +131,35 @@ const exchangeCodeAzure = async ({ code }: { code: string }) => {
};
};
const exchangeCodeAzureAppConfig = async ({ code }: { code: string }) => {
const accessExpiresAt = new Date();
const appCfg = getConfig();
if (!appCfg.CLIENT_ID_AZURE || !appCfg.CLIENT_SECRET_AZURE) {
throw new BadRequestError({ message: "Missing client id and client secret" });
}
const res = (
await request.post<ExchangeCodeAzureResponse>(
IntegrationUrls.AZURE_TOKEN_URL,
new URLSearchParams({
grant_type: "authorization_code",
code,
scope: "https://azconfig.io/.default openid offline_access",
client_id: appCfg.CLIENT_ID_AZURE,
client_secret: appCfg.CLIENT_SECRET_AZURE,
redirect_uri: `${appCfg.SITE_URL}/integrations/azure-app-configuration/oauth2/callback`
})
)
).data;
accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);
return {
accessToken: res.access_token,
refreshToken: res.refresh_token,
accessExpiresAt
};
};
const exchangeCodeHeroku = async ({ code }: { code: string }) => {
const accessExpiresAt = new Date();
const appCfg = getConfig();
@ -434,6 +463,10 @@ export const exchangeCode = async ({
return exchangeCodeAzure({
code
});
case Integrations.AZURE_APP_CONFIGURATION:
return exchangeCodeAzureAppConfig({
code
});
case Integrations.HEROKU:
return exchangeCodeHeroku({
code
@ -746,6 +779,7 @@ export const exchangeRefresh = async (
accessExpiresAt: Date;
}> => {
switch (integration) {
case Integrations.AZURE_APP_CONFIGURATION:
case Integrations.AZURE_KEY_VAULT:
return exchangeRefreshAzure({
refreshToken

3
frontend/public/data/frequentConstants.ts
View File

@ -35,7 +35,8 @@ const integrationSlugNameMapping: Mapping = {
"gcp-secret-manager": "GCP Secret Manager",
"hasura-cloud": "Hasura Cloud",
rundeck: "Rundeck",
"azure-devops": "Azure DevOps"
"azure-devops": "Azure DevOps",
"azure-app-configuration": "Azure App Configuration"
};
const envMapping: Mapping = {

263
frontend/src/pages/integrations/azure-app-configuration/create.tsx Normal file
View File

@ -0,0 +1,263 @@
import { useEffect } from "react";
import { Controller, useForm } from "react-hook-form";
import Head from "next/head";
import Image from "next/image";
import Link from "next/link";
import { useRouter } from "next/router";
import { faArrowUpRightFromSquare, faBookOpen } from "@fortawesome/free-solid-svg-icons";
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
import { zodResolver } from "@hookform/resolvers/zod";
import queryString from "query-string";
import { z } from "zod";
import { SecretPathInput } from "@app/components/v2/SecretPathInput";
import { useCreateIntegration } from "@app/hooks/api";
import { IntegrationSyncBehavior } from "@app/hooks/api/integrations/types";
import {
Button,
Card,
CardTitle,
FormControl,
Input,
Select,
SelectItem
} from "../../../components/v2";
import { useGetIntegrationAuthById } from "../../../hooks/api/integrationAuth";
import { useGetWorkspaceById } from "../../../hooks/api/workspace";
const schema = z.object({
baseUrl: z
.string()
.trim()
.min(1, { message: "Azure App Configuration URL is required" })
.url()
.refine(
(val) => val.endsWith(".azconfig.io"),
"URL should have the following format: https://resource-name-here.azconfig.io"
),
secretPath: z.string().trim().min(1, { message: "Secret path is required" }),
sourceEnvironment: z.string().trim().min(1, { message: "Source environment is required" }),
initialSyncBehavior: z.nativeEnum(IntegrationSyncBehavior),
secretPrefix: z.string().default("")
});
type TFormSchema = z.infer<typeof schema>;
const initialSyncBehaviors = [
{
label: "No Import - Overwrite all values in Azure App Configuration",
value: IntegrationSyncBehavior.OVERWRITE_TARGET
},
{
label: "Import - Prefer values from Azure App Configuration",
value: IntegrationSyncBehavior.PREFER_TARGET
},
{ label: "Import - Prefer values from Infisical", value: IntegrationSyncBehavior.PREFER_SOURCE }
];
export default function AzureAppConfigurationCreateIntegration() {
const router = useRouter();
const {
control,
setValue,
handleSubmit,
formState: { isSubmitting }
} = useForm<TFormSchema>({
resolver: zodResolver(schema),
defaultValues: {
secretPath: "/",
secretPrefix: "",
initialSyncBehavior: IntegrationSyncBehavior.PREFER_SOURCE
}
});
const { mutateAsync } = useCreateIntegration();
const { integrationAuthId } = queryString.parse(router.asPath.split("?")[1]);
const { data: workspace } = useGetWorkspaceById(localStorage.getItem("projectData.id") ?? "");
const { data: integrationAuth } = useGetIntegrationAuthById((integrationAuthId as string) ?? "");
useEffect(() => {
if (workspace) {
setValue("sourceEnvironment", workspace.environments[0].slug);
}
}, [workspace]);
const handleIntegrationSubmit = async ({
secretPath,
sourceEnvironment,
baseUrl,
initialSyncBehavior,
secretPrefix
}: TFormSchema) => {
try {
if (!integrationAuth?.id) return;
await mutateAsync({
integrationAuthId: integrationAuth?.id,
isActive: true,
app: baseUrl,
sourceEnvironment,
secretPath,
metadata: {
initialSyncBehavior,
secretPrefix
}
});
router.push(`/integrations/${localStorage.getItem("projectData.id")}`);
} catch (err) {
console.error(err);
}
};
return integrationAuth && workspace ? (
<form
onSubmit={handleSubmit(handleIntegrationSubmit)}
className="flex h-full w-full flex-col items-center justify-center"
>
<Head>
<title>Set Up Azure App Configuration Integration</title>
<link rel="icon" href="/infisical.ico" />
</Head>
<Card className="max-w-lg rounded-md border border-mineshaft-600">
<CardTitle
className="text-left text-xl"
subTitle="Choose which environment in Infisical you want to sync to your Azure App Configuration."
>
<div className="flex flex-row items-center">
<div className="flex items-center">
<Image
src="/images/integrations/Microsoft Azure.png"
height={35}
width={35}
alt="Azure logo"
/>
</div>
<span className="ml-1.5">Azure App Configuration</span>
<Link href="https://infisical.com/docs/integrations/cloud/aws-secret-manager" passHref>
<a target="_blank" rel="noopener noreferrer">
<div className="ml-2 mb-1 inline-block cursor-default rounded-md bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] text-sm text-yellow opacity-80 hover:opacity-100">
<FontAwesomeIcon icon={faBookOpen} className="mr-1.5" />
Docs
<FontAwesomeIcon
icon={faArrowUpRightFromSquare}
className="ml-1.5 mb-[0.07rem] text-xxs"
/>
</div>
</a>
</Link>
</div>
</CardTitle>
<div className="px-6">
<Controller
control={control}
name="sourceEnvironment"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Project Environment"
errorText={error?.message}
isError={Boolean(error)}
>
<Select
className="w-full border border-mineshaft-500"
value={field.value}
onValueChange={(val) => {
field.onChange(val);
}}
>
{workspace?.environments.map((sourceEnvironment) => (
<SelectItem
value={sourceEnvironment.slug}
key={`source-environment-${sourceEnvironment.slug}`}
>
{sourceEnvironment.name}
</SelectItem>
))}
</Select>
</FormControl>
)}
/>
<Controller
control={control}
name="secretPath"
render={({ field, fieldState: { error } }) => (
<FormControl label="Secrets Path" errorText={error?.message} isError={Boolean(error)}>
<SecretPathInput {...field} />
</FormControl>
)}
/>
<Controller
control={control}
name="baseUrl"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Azure App Configuration URL"
errorText={error?.message}
isError={Boolean(error)}
>
<Input
placeholder="https://infisical-configuration-integration-test.azconfig.io"
{...field}
/>
</FormControl>
)}
/>
<Controller
control={control}
name="secretPrefix"
render={({ field, fieldState: { error } }) => (
<FormControl label="Key Prefix" errorText={error?.message} isError={Boolean(error)}>
<Input {...field} />
</FormControl>
)}
/>
<Controller
control={control}
name="initialSyncBehavior"
render={({ field: { onChange, ...field }, fieldState: { error } }) => (
<FormControl
label="Initial Sync Behavior"
errorText={error?.message}
isError={Boolean(error)}
>
<Select
defaultValue={field.value}
onValueChange={(e) => onChange(e)}
className="w-full border border-mineshaft-500"
>
{initialSyncBehaviors.map((b) => {
return (
<SelectItem
value={b.value}
key={`sync-behavior-${b.value}`}
className="w-full"
>
{b.label}
</SelectItem>
);
})}
</Select>
</FormControl>
)}
/>
<Button
type="submit"
color="mineshaft"
variant="outline_bg"
className="mb-6 mt-4 ml-auto"
isLoading={isSubmitting}
>
Create Integration
</Button>
</div>
</Card>
</form>
) : (
<div />
);
}
AzureAppConfigurationCreateIntegration.requireAuth = true;

38
frontend/src/pages/integrations/azure-app-configuration/oauth2/callback.tsx Normal file
View File

@ -0,0 +1,38 @@
import { useEffect } from "react";
import { useRouter } from "next/router";
import queryString from "query-string";
import { useAuthorizeIntegration } from "@app/hooks/api";
export default function AzureAppConfigurationOAuth2CallbackPage() {
const router = useRouter();
const { mutateAsync } = useAuthorizeIntegration();
const { code, state } = queryString.parse(router.asPath.split("?")[1]);
useEffect(() => {
(async () => {
try {
// validate state
if (state !== localStorage.getItem("latestCSRFToken")) return;
localStorage.removeItem("latestCSRFToken");
const integrationAuth = await mutateAsync({
workspaceId: localStorage.getItem("projectData.id") as string,
code: code as string,
integration: "azure-app-configuration"
});
router.push(
`/integrations/azure-app-configuration/create?integrationAuthId=${integrationAuth.id}`
);
} catch (err) {
console.error(err);
}
})();
}, []);
return <div />;
}
AzureAppConfigurationOAuth2CallbackPage.requireAuth = true;

3
frontend/src/views/IntegrationsPage/IntegrationPage.utils.tsx
View File

@ -44,6 +44,9 @@ export const redirectForProviderAuth = (integrationOption: TCloudIntegration) =>
case "azure-key-vault":
link = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${integrationOption.clientId}&response_type=code&redirect_uri=${window.location.origin}/integrations/azure-key-vault/oauth2/callback&response_mode=query&scope=https://vault.azure.net/.default openid offline_access&state=${state}`;
break;
case "azure-app-configuration":
link = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${integrationOption.clientId}&response_type=code&redirect_uri=${window.location.origin}/integrations/azure-app-configuration/oauth2/callback&response_mode=query&scope=https://azconfig.io/.default openid offline_access&state=${state}`;
break;
case "aws-parameter-store":
link = `${window.location.origin}/integrations/aws-parameter-store/authorize`;
break;